Disabling TLS 1.1 In CentOS 7 Cockpit
Hi, I’m using cockpit in standard port 9090 in a CentOS 7 system. Due to a suggestion from management, they want TLS 1.1 disabled system-wide in all Linux boxes and TLS 1.2 enabled.
I have not found proper documentation on how to disable it for cockpit
(version 195.1 ships with CentOS 7)
So far I have tried (https://cockpit-project.org/guide/149/https.html):
/usr/lib/systemd/system/cockpit.service
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
And I also created the file /etc/systemd/system/cockpit.service.d/ssl.conf and added:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=-VERS-ALL:+VERS-TLS1.2
after that, I systemctl restart cockpit
But if I do
#openssl s_client -connect localhost:9090 -tls1_1
I get a proper response (a certificate), so TLS 1.1 is being accepted.
Suggestions?
Thanks.
6 thoughts on - Disabling TLS 1.1 In CentOS 7 Cockpit
Try creating /etc/system/system/cockpit.service.d/ssl.conf and putting this in it:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
Then
systemctl daemon-reload systemctl restart cockpit
Cheers,
Phil
—–Original Message—
Oops, excuse my typo
Create /etc/systemd/system/cockpit.service.d/ssl.conf containing
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
Then
systemctl daemon-reload systemctl restart cockpit
To verify that TLS 1.1 is disabled,
echo test | openssl s_client -connect localhost:9090 -tls1_1 2>&1 | grep -e Protocol -e Cipher
The expected result is:
New, (NONE), Cipher is (NONE)
Protocol : TLSv1.1
Cipher : 0000
Cheers,
Phil
—–Original Message—
Thanks, Randal for the response. But it did not work.
Here the results:
#yum info cockpit Name : cockpit Arch : x86_64
Version : 195.1
Release : 1.el7.CentOS.0.1
Size : 51 k Repo : installed From repo : extras Summary : Web Console for Linux servers URL : https://cockpit-project.org/
License : LGPLv2+
[root@cockpit ~]# cat /etc/systemd/system/cockpit.service.d/ssl.conf Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
[root@cockpit ~]#
[root@cockpit ~]# systemctl start cockpit
[root@cockpit ~]# systemctl status cockpit -l
● cockpit.service – Cockpit Web Service
Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static;
vendor preset: disabled)
Drop-In: /etc/systemd/system/cockpit.service.d
└─ssl.conf
Active: active (running) since Fri 2019-12-27 16:23:21 EST; 1min 25s ago
Docs: man:cockpit-ws(8)
Process: 3564 ExecStartPre=/usr/sbin/remotectl certificate –ensure
–user=root –group=cockpit-ws –selinux-type=etc_t (code=exited, status=0/SUCCESS)
Main PID: 3573 (cockpit-ws)
CGroup: /system.slice/cockpit.service
└─3573 /usr/libexec/cockpit-ws
Dec 27 16:23:21 cockpit.localdomain systemd[1]: Starting Cockpit Web Service… Dec 27 16:23:21 cockpit.localdomain systemd[1]: Started Cockpit Web Service. Dec 27 16:23:21 cockpit.localdomain cockpit-ws[3573]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Dec 27 16:23:30 cockpit.localdomain cockpit-ws[3573]: received invalid HTTP request line
[root@cockpit ~]#
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
—
———————
Erick Perez Quadrian Enterprises S.A. – Panama, Republica de Panama Skype chat: eaperezh WhatsApp IM: +507-6675-5083
———————
Did you run:
# systemctl daemon-reload
… before starting cockpit?
Sure did!
I am even playing with different options (including NONE) and it seems to ignore the contents of ssl.conf
I have tried Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA
Environment=G_TLS_GNUTLS_PRIORITY=PFS
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0
Environment=G_TLS_GNUTLS_PRIORITY=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2
And my last one:
Environment=G_TLS_GNUTLS_PRIORITY=NONE:+SECURE128:-VERS-ALL:-SHA384:-SHA256
systemctl daemon-reload systemctl restart cockpit
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_2 2>&1 | grep -e Protocol -e Cipher New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
[root@cockpit ~]#
It is my understanding that -VERS-ALL will disable TLS at all and produce no output from the above tests. This does not seem to be the case. Also, If I did -SHA384 and -SHA256 then why the cipher in TLS1_2 test is ECDHE-RSA-AES256-GCM-SHA384
It seems it is completely ignoring the Environment variable.
Fixed!!!!
It turns out that the gnutls library installed on the system was somehow damaged. It took the installation of gnutls-cli to list supperted protocols and ciphers. I had to yum reinstall gnutls to fix it.
Now the ssl.conf has:
[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
[root@cockpit ~]# echo test | openssl s_client -connect localhost:9090
-tls1_1 2>&1 | grep -e Protocol -e Cipher New, (NONE), Cipher is (NONE)
Protocol : TLSv1.1
Cipher : 0000
[root@cockpit ~]#
Thanks!!!! It was a pleasure working with you and it was a great learning experience!