[CentOS] easy way to stop old ssl's

Tue Oct 15 18:26:14 UTC 2019
Markus Falb <markus.falb at fasel.at>

On 12.10.19 19:33, Warren Young wrote:
> On Oct 12, 2019, at 4:06 AM, Markus Falb <markus.falb at fasel.at> wrote:
>> On 11.10.19 22:40, Warren Young wrote:
>>> Just ship a new HTTPS configuration to each server.
>> Instead of configuring every application separataly it would be nice if
>> "accepted levels of security" could be set system wide.
> …which implies that there is some authority that defines “accepted level” the way you’d do it if you could be bothered to think through all of the use cases, combinations, and implications.
> Who is that central organization?  Are you sure their notions match your own?

You should have the authority discussion with OP who brought that thing
with "accepted" up.

On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote:
# is there a script that is available that can be ran to bring
# a box up to current "accepted" levels ?

My post was about system wide configuration not about authorities.
However, take a look at the subject of this thread. Who defines what is
old ? What about best practices like disable SSLv3 or TLSv1? Could the
authority be the community or some common knowledge?

>> With 8 it seems there is such a thing
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
>> Although I believe that FIPS mode is also available in 7
> That’s FIPS 140-2, a standard from 2001, which is three TLS standards ago.

If I look at the comparison table from the link above FIPS mode does not
look that bad. I guess that I would get A rating from ssllabs.

> FIPS 140-3 just barely became effective a few weeks ago, which means it won’t be considered for inclusion in RHEL until 9, which I don’t expect to appear until 3-4 years from now, by which time FIPS 140-2 will be around 21 years old.
> So, we not only have a situation where adopting FIPS 140-2 requires that you use badly outdated security technologies, it also means you might not be able to communicate with those that do support modern standards, if they’ve dropped compatibility with 2001 era tech sometime in the last 18 years.

I read you saying that FIPS 140-2 is not good enough. Apart from age, why?

Kind Regards, Markus Falb