Erick Perez - Quadrian Enterprises
2019-Dec-27 03:26 UTC
[CentOS] Disabling TLS 1.1 in Centos 7 cockpit
Hi, I'm using cockpit in standard port 9090 in a Centos 7 system. Due to a suggestion from management, they want TLS 1.1 disabled system-wide in all Linux boxes and TLS 1.2 enabled. I have not found proper documentation on how to disable it for cockpit (version 195.1 ships with Centos 7) So far I have tried (https://cockpit-project.org/guide/149/https.html): /usr/lib/systemd/system/cockpit.service [Service] Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf and added: [Service] Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 after that, I systemctl restart cockpit But if I do #openssl s_client -connect localhost:9090 -tls1_1 I get a proper response (a certificate), so TLS 1.1 is being accepted. Suggestions? Thanks. -- --------------------- Erick Perez ---------------------
Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this in it: [Service] Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 Then systemctl daemon-reload systemctl restart cockpit Cheers, Phil -----Original Message----- From: CentOS <centos-bounces at centos.org> On Behalf Of Erick Perez - Quadrian Enterprises Sent: 27 December 2019 03:26 To: centos at centos.org Subject: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Hi, I'm using cockpit in standard port 9090 in a Centos 7 system. Due to a suggestion from management, they want TLS 1.1 disabled system-wide in all Linux boxes and TLS 1.2 enabled. I have not found proper documentation on how to disable it for cockpit (version 195.1 ships with Centos 7) So far I have tried (https://cockpit-project.org/guide/149/https.html): /usr/lib/systemd/system/cockpit.service [Service] Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf and added: [Service] Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 after that, I systemctl restart cockpit But if I do #openssl s_client -connect localhost:9090 -tls1_1 I get a proper response (a certificate), so TLS 1.1 is being accepted. Suggestions? Thanks. -- --------------------- Erick Perez --------------------- _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it."
Oops, excuse my typo
Create /etc/systemd/system/cockpit.service.d/ssl.conf containing
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
Then
systemctl daemon-reload
systemctl restart cockpit
To verify that TLS 1.1 is disabled,
echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep
-e Protocol -e Cipher
The expected result is:
New, (NONE), Cipher is (NONE)
Protocol : TLSv1.1
Cipher : 0000
Cheers,
Phil
-----Original Message-----
From: Randal, Phil
Sent: 27 December 2019 15:04
To: 'CentOS mailing list' <centos at centos.org>
Subject: RE: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit
Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this in
it:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
Then
systemctl daemon-reload
systemctl restart cockpit
Cheers,
Phil
-----Original Message-----
From: CentOS <centos-bounces at centos.org> On Behalf Of Erick Perez -
Quadrian Enterprises
Sent: 27 December 2019 03:26
To: centos at centos.org
Subject: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit
CAUTION: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe.
Hi, I'm using cockpit in standard port 9090 in a Centos 7 system.
Due to a suggestion from management, they want TLS 1.1 disabled system-wide in
all Linux boxes and TLS 1.2 enabled.
I have not found proper documentation on how to disable it for cockpit (version
195.1 ships with Centos 7)
So far I have tried (https://cockpit-project.org/guide/149/https.html):
/usr/lib/systemd/system/cockpit.service
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf
and added:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
after that, I systemctl restart cockpit
But if I do
#openssl s_client -connect localhost:9090 -tls1_1 I get a proper response (a
certificate), so TLS 1.1 is being accepted.
Suggestions?
Thanks.
--
---------------------
Erick Perez
---------------------
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
Hoople Ltd, Registered in England and Wales No. 7556595
Registered office: Plough Lane, Hereford, HR4 0LE
"Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Hoople Ltd. You should be aware that
Hoople Ltd. monitors its email service. This e-mail and any attached files are
confidential and intended solely for the use of the addressee. This
communication may contain material protected by law from being passed on. If you
are not the intended recipient and have received this e-mail in error, you are
advised that any use, dissemination, forwarding, printing or copying of this
e-mail is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it."
Erick Perez - Quadrian Enterprises
2019-Dec-27 21:28 UTC
[CentOS] Disabling TLS 1.1 in Centos 7 cockpit
Thanks, Randal for the response. But it did not work. Here the results: #yum info cockpit Name : cockpit Arch : x86_64 Version : 195.1 Release : 1.el7.centos.0.1 Size : 51 k Repo : installed>From repo : extrasSummary : Web Console for Linux servers URL : https://cockpit-project.org/ License : LGPLv2+ [root at cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 [root at cockpit ~]# [root at cockpit ~]# systemctl start cockpit [root at cockpit ~]# systemctl status cockpit -l ? cockpit.service - Cockpit Web Service Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled) Drop-In: /etc/systemd/system/cockpit.service.d ??ssl.conf Active: active (running) since Fri 2019-12-27 16:23:21 EST; 1min 25s ago Docs: man:cockpit-ws(8) Process: 3564 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type=etc_t (code=exited, status=0/SUCCESS) Main PID: 3573 (cockpit-ws) CGroup: /system.slice/cockpit.service ??3573 /usr/libexec/cockpit-ws Dec 27 16:23:21 cockpit.localdomain systemd[1]: Starting Cockpit Web Service... Dec 27 16:23:21 cockpit.localdomain systemd[1]: Started Cockpit Web Service. Dec 27 16:23:21 cockpit.localdomain cockpit-ws[3573]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Dec 27 16:23:30 cockpit.localdomain cockpit-ws[3573]: received invalid HTTP request line [root at cockpit ~]# [root at cockpit ~]# echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA On Fri, Dec 27, 2019 at 10:09 AM Randal, Phil <phil.randal at hoopleltd.co.uk> wrote:> > Oops, excuse my typo > > Create /etc/systemd/system/cockpit.service.d/ssl.conf containing > > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 > > Then > > systemctl daemon-reload > systemctl restart cockpit > > To verify that TLS 1.1 is disabled, > > echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher > > The expected result is: > > New, (NONE), Cipher is (NONE) > Protocol : TLSv1.1 > Cipher : 0000 > > Cheers, > > Phil > > -----Original Message----- > From: Randal, Phil > Sent: 27 December 2019 15:04 > To: 'CentOS mailing list' <centos at centos.org> > Subject: RE: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit > > Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this in it: > > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 > > Then > > systemctl daemon-reload > systemctl restart cockpit > > Cheers, > > Phil > > > -----Original Message----- > From: CentOS <centos-bounces at centos.org> On Behalf Of Erick Perez - Quadrian Enterprises > Sent: 27 December 2019 03:26 > To: centos at centos.org > Subject: [CentOS] Disabling TLS 1.1 in Centos 7 cockpit > > CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. > > Hi, I'm using cockpit in standard port 9090 in a Centos 7 system. > Due to a suggestion from management, they want TLS 1.1 disabled system-wide in all Linux boxes and TLS 1.2 enabled. > > I have not found proper documentation on how to disable it for cockpit (version 195.1 ships with Centos 7) > > So far I have tried (https://cockpit-project.org/guide/149/https.html): > > /usr/lib/systemd/system/cockpit.service > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 > > And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf > and added: > [Service] > Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2 > > after that, I systemctl restart cockpit > > But if I do > #openssl s_client -connect localhost:9090 -tls1_1 I get a proper response (a certificate), so TLS 1.1 is being accepted. > > Suggestions? > > Thanks. > > -- > > --------------------- > Erick Perez > --------------------- > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > Hoople Ltd, Registered in England and Wales No. 7556595 > Registered office: Plough Lane, Hereford, HR4 0LE > > "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it." > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- --------------------- Erick Perez Quadrian Enterprises S.A. - Panama, Republica de Panama Skype chat: eaperezh WhatsApp IM: +507-6675-5083 ---------------------