[CentOS] easy way to stop old ssl's

Sat Oct 12 14:35:08 UTC 2019
Brian Reichert <reichert at numachi.com>

On Fri, Oct 11, 2019 at 02:40:42PM -0600, Warren Young wrote:
> On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote:
> > 
> > is there a script that is available that can be ran to bring
> > a box up to current "accepted" levels ?

Bear in mind, there are a number of moving parts here.

- Many different services, besides web servers, can be configured
  to employ SSL/TLS.  LDAP databases, SMTP servers, etc.

- There are different SSL engines in play.  Many services use OpenSSL
  at their core, but Java-based services have their own SSL engine.
  GnuTLS is another engine in play.

- Services linked to OpenSSL nominally aught to be able to be
  configured to clamp down as you see fit, but sometimes your
  service's wrapper of OpenSSL doesn't expose enough of the
  fine-grained details to accomplish as you want.

  For example, I have a legacy Perl-based web service that used an
  old version of Net::SSLeay that hampered my ability to constrain
  SSL versions/ciphers.

- Java-based services have config details all over the place.
  There's a core set of config items for the JVM itself, but your
  servlet engine will have it's own config files for describing
  listeners, etc.

Besides things acting as SSL servers on a host, there are any number of
things that may act as an SSL _client_.  Those need to be considered as
well, and there are many vagaries about the semantics within config files.

Brian Reichert				<reichert at numachi.com>
BSD admin/developer at large