[CentOS] Disabling TLS 1.1 in Centos 7 cockpit

Sat Dec 28 00:16:55 UTC 2019
Erick Perez - Quadrian Enterprises <eperez at quadrianweb.com>

Fixed!!!!

It turns out that the gnutls library installed on the system was
somehow damaged.
It took the installation of gnutls-cli to list supperted protocols and ciphers.
I had to yum reinstall gnutls to fix it.

Now the ssl.conf has:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1

[root at cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher
New, (NONE), Cipher is (NONE)
    Protocol  : TLSv1.1
    Cipher    : 0000
[root at cockpit ~]#


Thanks!!!! It was a pleasure working with you and it was a great
learning experience!

On Fri, Dec 27, 2019 at 6:43 PM Erick Perez - Quadrian Enterprises
<eperez at quadrianweb.com> wrote:
>
> Sure did!
> I am even playing with different options (including NONE) and it seems
> to ignore the contents of ssl.conf
>
> I have tried
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA:
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA
> Environment=G_TLS_GNUTLS_PRIORITY=PFS
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:
> Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0
> Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2
>
> And my last one:
> Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256
> systemctl daemon-reload
> systemctl restart cockpit
>
> [root at cockpit ~]# echo test | openssl s_client -connect localhost:9090
> -tls1_1 2>&1 | grep -e Protocol -e Cipher
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
>     Protocol  : TLSv1.1
>     Cipher    : ECDHE-RSA-AES256-SHA
>
>
> [root at cockpit ~]# echo test | openssl s_client -connect localhost:9090
> -tls1_2 2>&1 | grep -e Protocol -e Cipher
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> [root at cockpit ~]#
>
> It is my understanding that -VERS-ALL will disable TLS at all and
> produce no output from the above tests. This does not seem to be the
> case.
> Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test
> is  ECDHE-RSA-AES256-GCM-SHA384
>
> It seems it is completely ignoring the Environment variable.
>
>
> On Fri, Dec 27, 2019 at 5:18 PM Jonathan Billings <billings at negate.org> wrote:
> >
> > On Dec 27, 2019, at 16:28, Erick Perez - Quadrian Enterprises <eperez at quadrianweb.com> wrote:
> > >
> > > [root at cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf
> > > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> > >
> > > [root at cockpit ~]#
> > > [root at cockpit ~]# systemctl start cockpit
> > > [root at cockpit ~]# systemctl status cockpit -l
> >
> > Did you run:
> >
> > # systemctl daemon-reload
> >
> > ... before starting cockpit?
> >
> > --
> > Jonathan Billings <billings at negate.org>
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
>
> --
>
> ---------------------
> Erick Perez
> Quadrian Enterprises S.A. - Panama, Republica de Panama
> Skype chat: eaperezh
> WhatsApp IM: +507-6675-5083
> ---------------------



-- 

---------------------
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
---------------------