Re: [CentOS] easy way to stop old ssl's

[Leroy Tennison]

Just saw the original message (Outlook Web Access isn't the greatest in 
presenting threads).  I had to do it manually but the number of settings to 
change was small (for a fairly simple website).  I would think a sed script 
inside a for loop would do for a system.  If you have a large number of systems 
then it's time to look at Puppet/Ansible/Chef.

From: CentOS  on behalf of Leroy Tennison 

Sent: Friday, October 11, 2019 11:48 PM
To: CentOS mailing list 
Subject: Re: [CentOS] easy way to stop old ssl's

Without context it's impossible to make firm statements but, having gone 
through this a while back (and discovering that less than 1 percent of an 
examined list of connections couldn't support current ssl - mainly Apple 
hardware), who do you want to protect?  Is it the minority who won't/can't 
upgrade or the majority who have?  And, do you have to protect yourself from 
liability (regulatory or contractual)?  If the environment is in any way 
sensitive (Personally Identifiable Information, Health data, Credit Card data) 
then the answer is obvious.

Harriscomputer

Register now for the dataVoice User Conference,
October 9-11 at the Gaylord Rockies in Denver, CO.
To register click Here


Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.






From: CentOS  on behalf of Warren Young 

Sent: Friday, October 11, 2019 3:58 PM
To: CentOS mailing list 
Subject: [EXTERNAL] Re: [CentOS] easy way to stop old ssl's


Harriscomputer

Register now for the dataVoice User Conference,
October 9-11 at the Gaylord Rockies in Denver, CO.
To register click 
Here


Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.datavoiceint.com=E,1,1CVIwFnqDNjeMobHyItdRlGR_7-a25a9csDCwUICadY6cNeNGWLIh7RYua2hi0wTgCsLyEWcZhDFXu0XIqOzIqg62dgI8l7698aRzx0KHSU6X2L5SVbV=1


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.





On Oct 11, 2019, at 2:52 PM, isdtor  wrote:
>
>> Yes, breaking changes.  Doing this *will* cut off support for older 
>> browsers.  On purpose.
>
> Old browsers aren't really the problem. Even ff 45 (?) from CentOS5 will 
> happily access a TLSv1.2-only server.

IE 10 and older won’t, though: 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcaniuse.com%2f%23feat%3dtls1-2=E,1,OoDXU9RwckHnPZSdyy1A-Mat1VYd83r6qJeujdFE_9jDKQp4hvmqnE9CbbcsCi5OsTOOx75sM1xfwvskBnYzTm7sNq1P3DnbfLyLhGR491ys6viVqTrf=1

> The problem is user that have old versions of software installed with no 
> TLSv1.2 support. SVN, python 2.7 scripts, etc.

Also true.  There’s a lot of stuff still linked to OpenSSL 1.0.0 and 0.98.
___
CentOS mailing list
CentOS@centos.org

Re: [CentOS] easy way to stop old ssl's

[Leroy Tennison]

Without context it's impossible to make firm statements but, having gone 
through this a while back (and discovering that less than 1 percent of an 
examined list of connections couldn't support current ssl - mainly Apple 
hardware), who do you want to protect?  Is it the minority who won't/can't 
upgrade or the majority who have?  And, do you have to protect yourself from 
liability (regulatory or contractual)?  If the environment is in any way 
sensitive (Personally Identifiable Information, Health data, Credit Card data) 
then the answer is obvious.

From: CentOS  on behalf of Warren Young 

Sent: Friday, October 11, 2019 3:58 PM
To: CentOS mailing list 
Subject: [EXTERNAL] Re: [CentOS] easy way to stop old ssl's


Harriscomputer

Register now for the dataVoice User Conference,
October 9-11 at the Gaylord Rockies in Denver, CO.
To register click Here


Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.





On Oct 11, 2019, at 2:52 PM, isdtor  wrote:
>
>> Yes, breaking changes.  Doing this *will* cut off support for older 
>> browsers.  On purpose.
>
> Old browsers aren't really the problem. Even ff 45 (?) from CentOS5 will 
> happily access a TLSv1.2-only server.

IE 10 and older won’t, though: 
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcaniuse.com%2f%23feat%3dtls1-2=E,1,OoDXU9RwckHnPZSdyy1A-Mat1VYd83r6qJeujdFE_9jDKQp4hvmqnE9CbbcsCi5OsTOOx75sM1xfwvskBnYzTm7sNq1P3DnbfLyLhGR491ys6viVqTrf=1

> The problem is user that have old versions of software installed with no 
> TLSv1.2 support. SVN, python 2.7 scripts, etc.

Also true.  There’s a lot of stuff still linked to OpenSSL 1.0.0 and 0.98.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 8 Mate?

[Robert G (Doc) Savage via CentOS]

On Wed, 2019-09-25 at 15:25 +0200, Ljubomir Ljubojevic wrote:
> 
> As of now, I have a working MATE DM on CentOS 8. It's a hack though,
> I
> used Fedora repositories. But that means compiling MATE in EPEL
> should
> be straightforward, just recompile Fedora 28 packages.
> 
> 
> I used Fedora 28 repo file  and Fedora 28 GPG keys (links are
> bellow),
> unpacked then to proper directory and in Fedora repo files I changed
> "$releasever" to "28".
> I also installed yum-plugin-priorities and in all CentOS repo's added
> "priority=1" and in all Fedora repos added "priority=2".
> 
> Then I ran following commands (something like this, I experimented
> some):
> 
> 
> yum install python2-six
> yum install mate* -x mate*devel* -x mate-menu
> yum groupinstall "MATE" --skip-broken
> yum groupinstall "MATE Desktop" --skip-broken
> echo "exec /usr/bin/mate-session" >> ~/.xinitrc
> reboot
> and then selected MATE in login screen.
> 
> 
> Links to rpm's:
> https://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/fedora/linux/releases/28/Everything/x86_64/os/Packages/f/fedora-repos-28-1.noarch.rpm
> and
> https://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/fedora/linux/releases/28/Everything/x86_64/os/Packages/f/fedora-gpg-keys-28-1.noarch.rpm
> 
> List of installed packages from Fedora 28: 
> https://pastebin.com/VXL03Uqj
> 

Ljubomi,

Hooray! I re-installed CentOS 8 to a fresh VM and went through your
instructions again. This time everything rebuilt and installed
correctly. Thank you!

--Doc Savage
  Fairview Heights, IL

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C8 and KDE

[Gregory P. Ennis]

Goog morning to the list,
for all users that are interested about KDE Plasma on Centos 8 you can 
install KDE from epel.

All packages are get from epel-playground and epel-testing and some 
packages seems need to be build.

I run "yum grouplist" and see kde workspace available. I tried to 
install it, reboot my machine and running startx a KDE plasma session 
was correctly launched.

I think that this is a testing release and not ready for production but 
if you want play you can try. Maybe you will find bug and can help EPEL 
to fix.

Best regards.


--

Alelssandro,

Thanks for the information.  I am hoping that KDE will eventually get included. 
 I have a
bunch of scripts that work with konsole that are going to motivate me to use 
debian if we
can not get konsole working in C8.

Greg Ennis



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-docs] CentOS 8 Release Notes - Czech translation

[Akemi Yagi]

On Fri, Oct 11, 2019 at 12:14 PM Jan Papež (honyczek)
 wrote:
>
> Hello,
>
> I've just finished the translation and added the link to main article
> https://wiki.centos.org/Manuals/ReleaseNotes/CentOS8.1905
>
> Now I'd like to create my Userpage, could you add me rights, please?
> https://wiki.centos.org/JanPapez
>
> Thank you.
>
> Jan

Alan has just created your homepage. Please let us know if you find any problem.

Akemi
___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] easy way to stop old ssl's

[Warren Young]

On Oct 11, 2019, at 2:52 PM, isdtor  wrote:
> 
>> Yes, breaking changes.  Doing this *will* cut off support for older 
>> browsers.  On purpose.
> 
> Old browsers aren't really the problem. Even ff 45 (?) from CentOS5 will 
> happily access a TLSv1.2-only server.

IE 10 and older won’t, though: https://caniuse.com/#feat=tls1-2

> The problem is user that have old versions of software installed with no 
> TLSv1.2 support. SVN, python 2.7 scripts, etc.

Also true.  There’s a lot of stuff still linked to OpenSSL 1.0.0 and 0.98.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] easy way to stop old ssl's

[isdtor]

> Yes, breaking changes.  Doing this *will* cut off support for older browsers. 
>  On purpose.

Old browsers aren't really the problem. Even ff 45 (?) from CentOS5 will 
happily access a TLSv1.2-only server. The problem is user that have old 
versions of software installed with no TLSv1.2 support. SVN, python 2.7 
scripts, etc.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] easy way to stop old ssl's

[Warren Young]

On Oct 11, 2019, at 12:12 PM, Jerry Geis  wrote:
> 
> is there a script that is available that can be ran to bring
> a box up to current "accepted" levels ?

I don’t know why you’d use a script for this at all.  Just ship a new HTTPS 
configuration to each server.  Apache loads all *.conf files in its 
configuration directory, so you might be able to just add another file to the 
existing config set.  If not, then replace the existing config file instead.

If you’re asking for a pre-crafted config, there are bunches of them floating 
around:

   https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
   
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
   https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

etc.

I’m also surprised by the premise implied by the question, which is that a 
stable OS vendor would switch HTTPS configurations for you on a point upgrade.  
That’s pretty much the anti-Red Hat position.  If you want local breaking 
changes like this, you develop and test it locally, then deploy the change 
locally.

Yes, breaking changes.  Doing this *will* cut off support for older browsers.  
On purpose.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-docs] CentOS 8 Release Notes - Czech translation

[honyczek]

Hello,

I've just finished the translation and added the link to main article
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS8.1905

Now I'd like to create my Userpage, could you add me rights, please?
https://wiki.centos.org/JanPapez

Thank you.

Jan

po 7. 10. 2019 v 17:02 odesílatel Alan Bartlett  napsal:
>
> On Mon, 7 Oct 2019 at 06:18, Jan Papež (honyczek)
>  wrote:
> >
> > Hi,
> >
> > it works now. Thanks Alan.
> >
> > Jan
> >
> You are welcome.
>
> Alan.
> ___
> CentOS-docs mailing list
> CentOS-docs@centos.org
> https://lists.centos.org/mailman/listinfo/centos-docs



-- 
Jan Papež (honyczek)
___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

[CentOS] easy way to stop old ssl's

[Jerry Geis]

HI all, When CentOS 7 was created things like SSLv2 TLSv1 TLSv1.1 etc...
were all OK, but now they have fallen out of favor for various reasons.

Updating to CentOS 7.7 does not automatically disable these types of items
from apache - is there a script that is available that can be ran to bring
a box up to current "accepted" levels ?
Or is that an edit by hand, do it yourself on all your boxes or create your
own script type of thing.
Just checking if there is an easier way.

Thanks,

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos