Fixed!!!!
It turns out that the gnutls library installed on the system was somehow damaged. It took the installation of gnutls-cli to list supperted protocols and ciphers. I had to yum reinstall gnutls to fix it.
Now the ssl.conf has: [Service] Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher New, (NONE), Cipher is (NONE) Protocol : TLSv1.1 Cipher : 0000 [root@cockpit ~]#
Thanks!!!! It was a pleasure working with you and it was a great learning experience!
On Fri, Dec 27, 2019 at 6:43 PM Erick Perez - Quadrian Enterprises eperez@quadrianweb.com wrote:
Sure did! I am even playing with different options (including NONE) and it seems to ignore the contents of ssl.conf
I have tried Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA: Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA Environment=G_TLS_GNUTLS_PRIORITY=PFS Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0: Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0 Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2
And my last one: Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256 systemctl daemon-reload systemctl restart cockpit
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090 -tls1_2 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [root@cockpit ~]#
It is my understanding that -VERS-ALL will disable TLS at all and produce no output from the above tests. This does not seem to be the case. Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test is ECDHE-RSA-AES256-GCM-SHA384
It seems it is completely ignoring the Environment variable.
On Fri, Dec 27, 2019 at 5:18 PM Jonathan Billings billings@negate.org wrote:
On Dec 27, 2019, at 16:28, Erick Perez - Quadrian Enterprises eperez@quadrianweb.com wrote:
[root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
[root@cockpit ~]# [root@cockpit ~]# systemctl start cockpit [root@cockpit ~]# systemctl status cockpit -l
Did you run:
# systemctl daemon-reload
... before starting cockpit?
-- Jonathan Billings billings@negate.org _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
--
Erick Perez Quadrian Enterprises S.A. - Panama, Republica de Panama Skype chat: eaperezh WhatsApp IM: +507-6675-5083