Re: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit

Erick Perez - Quadrian Enterprises Fri, 27 Dec 2019 15:44:40 -0800

Sure did!
I am even playing with different options (including NONE) and it seems
to ignore the contents of ssl.conf


I have tried
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA
Environment=G_TLS_GNUTLS_PRIORITY=PFS
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0
Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2

And my last one:
Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256
systemctl daemon-reload
systemctl restart cockpit

[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA


[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_2 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
[root@cockpit ~]#

It is my understanding that -VERS-ALL will disable TLS at all and
produce no output from the above tests. This does not seem to be the
case.
Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test
is  ECDHE-RSA-AES256-GCM-SHA384

It seems it is completely ignoring the Environment variable.


On Fri, Dec 27, 2019 at 5:18 PM Jonathan Billings <[email protected]> wrote:
>
> On Dec 27, 2019, at 16:28, Erick Perez - Quadrian Enterprises 
> <[email protected]> wrote:
> >
> > [root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf
> > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> >
> > [root@cockpit ~]#
> > [root@cockpit ~]# systemctl start cockpit
> > [root@cockpit ~]# systemctl status cockpit -l
>
> Did you run:
>
> # systemctl daemon-reload
>
> ... before starting cockpit?
>
> --
> Jonathan Billings <[email protected]>
> _______________________________________________
> CentOS mailing list
> [email protected]
> https://lists.centos.org/mailman/listinfo/centos



-- 

---------------------
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
---------------------
_______________________________________________
CentOS mailing list
[email protected]
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit

Reply via email to