Re: Disabling TLS 1.1 in Centos 7 cockpit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Sure did!
I am even playing with different options (including NONE) and it seems
to ignore the contents of ssl.conf

I have tried
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA
Environment=G_TLS_GNUTLS_PRIORITY=PFS
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0
Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2

And my last one:
Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256
systemctl daemon-reload
systemctl restart cockpit

[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA


[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_2 2>&1 | grep -e Protocol -e Cipher
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
[root@cockpit ~]#

It is my understanding that -VERS-ALL will disable TLS at all and
produce no output from the above tests. This does not seem to be the
case.
Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test
is  ECDHE-RSA-AES256-GCM-SHA384

It seems it is completely ignoring the Environment variable.


On Fri, Dec 27, 2019 at 5:18 PM Jonathan Billings <billings@xxxxxxxxxx> wrote:
>
> On Dec 27, 2019, at 16:28, Erick Perez - Quadrian Enterprises <eperez@xxxxxxxxxxxxxxx> wrote:
> >
> > [root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf
> > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
> >
> > [root@cockpit ~]#
> > [root@cockpit ~]# systemctl start cockpit
> > [root@cockpit ~]# systemctl status cockpit -l
>
> Did you run:
>
> # systemctl daemon-reload
>
> ... before starting cockpit?
>
> --
> Jonathan Billings <billings@xxxxxxxxxx>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos



-- 

---------------------
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
---------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux