[CentOS] Disabling TLS 1.1 in Centos 7 cockpit

Fri Dec 27 23:43:31 UTC 2019
Erick Perez - Quadrian Enterprises <eperez at quadrianweb.com>

Sure did!
I am even playing with different options (including NONE) and it seems
to ignore the contents of ssl.conf

I have tried
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA
Environment=G_TLS_GNUTLS_PRIORITY=PFS
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0
Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2

And my last one:
Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256
systemctl daemon-reload
systemctl restart cockpit

[root at cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA


[root at cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_2 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
[root at cockpit ~]#

It is my understanding that -VERS-ALL will disable TLS at all and
produce no output from the above tests. This does not seem to be the
case.
Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test
is  ECDHE-RSA-AES256-GCM-SHA384

It seems it is completely ignoring the Environment variable.


On Fri, Dec 27, 2019 at 5:18 PM Jonathan Billings <billings at negate.org> wrote:
>
> On Dec 27, 2019, at 16:28, Erick Perez - Quadrian Enterprises <eperez at quadrianweb.com> wrote:
> >
> > [root at cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf
> > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> >
> > [root at cockpit ~]#
> > [root at cockpit ~]# systemctl start cockpit
> > [root at cockpit ~]# systemctl status cockpit -l
>
> Did you run:
>
> # systemctl daemon-reload
>
> ... before starting cockpit?
>
> --
> Jonathan Billings <billings at negate.org>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 

---------------------
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
---------------------