Ce message aidera à désactiver le port 9090 du cockpit TLS 1.1.
1. Créez le fichier /etc/systemd/system/cockpit.service.d/ssl.conf contenant :
[Service] Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
2. Recharger les démons systemd :
# systemctl daemon-reload
3. Redémarrez le service du poste de pilotage :
# systemctl restart cockpit
4. Vérifiez les protocoles tls1_1 :
# echo test | openssl s_client -connect localhost:9090 -tls1_1CONNECTED(00000003) 139687924594576:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported ==> Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1595495230 Timeout : 7200 (sec) Verify return code: 0 (ok)
5. Vérifiez les protocoles tls1_2 :
# echo test | openssl s_client -connect localhost:9090 -tls1_2...No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1326 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported --> Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 3B54CEBA5BA27F851E55409A491540E7A0B6BCB7657B9036D67BB6E82B5F55B5 Session-ID-ctx: Master-Key: 5AC8E8F409895C2020C87F4598DCF09465661431DAE03FDDEC0EC69FE7F8320FE14B79BA2D6A902A745AE00E265462D0 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1595495263 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- DONE