Re: TLSv1 on CentOS-8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tomas/Team

I have managed to block the RC4 and enable tlsv1 as per our requirements.

We have a requirement to match cipher list on the internal server to match the native browser cipher list as shown by the https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

I have tried setting up different combinations on the CipherString but none helped. Do you have any suggestions as to how to do achieve this?

--------
Regards,

Junaid



On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
>
> > Or you could modify the /etc/pki/tls/openssl.cnf:
> > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> > line in it and insert something like:
> >
> > CipherString =
> > @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:
> > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
>
> How did this particular contraption become a recommended cipherlist?

To explain - this is basically autogenerated value from the crypto
policy definiton of the LEGACY crypto policy with just added the !RC4.


> What's wrong with "DEFAULT"?  In OpenSSL 1.1.1 it already excludes
> RC4 (if RC4 is at all enabled at compile time):

Nothing wrong with DEFAULT. For manual configuration. This is however
something that is autogenerated.

>     $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
>     ECDHE-ECDSA-RC4-SHA     TLSv1 Kx=ECDH     Au=ECDSA Enc=RC4(128)
> Mac=SHA1
>     ECDHE-RSA-RC4-SHA       TLSv1
> Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
>     RC4-SHA                 SSLv3
> Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
>
> I find too many people cargo-culting poorly thought cipher lists from
> some random HOWTO.  Over optimising your cipherlist is subject to
> rapid bitrot, resist the temptation...

Yeah, I should have probably suggested just: CipherString = DEFAULT

There is not much point in being as close to the autogenerated policy
as possible for this particular user's use-case.

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux