Subject says it all. I’ve already disabled these in Apache; they’ve been known to be weak crypto for several years. There’s a cockpit config item which disables TLS completely, but that’s not for live use. Thanks!
EDIT: It should be possible to replace the self-generated cockpit cert with a TLSv1.2 cert. I’ll test and see if that does the trick.
Certs do not dictate the TLS version used - the handshake between the client and server do. You would usually set the server to only support specific TLS levels, but a quick search seems like that is not an option for the embedded web server used by Cockpit.
A work around would be using Apache as a front-end proxy and limiting the TLS levels used in Apache for the virtual site created to talk to Cockpit. Setting it up as a proxy would then mean that you do not need to have 9090 open on the firewall for remote access and just use the same 443 port that you have for Allmon3.
e.g.
https://your_hostname/allmon3/
https://your_hostname/cockpit/
Thanks! A little more reading told me my approach was a dead end, as you say. Since I’m already set to +TLSv1.2 -SSLv3 in Apache, the rest should be easy.
So, just to be clear, the mere availability of TLS 1.0 or 1.1 doesn’t mean they are used. Any modern browser/client will automatically pick TLS 1.3 or 1.2 and the strongest cipher suite over 1.1/1.0 weaker ones. The weaknesses come into play if there’s a legacy client that doesn’t support modern crypto. All desktop browses, all iOS-based devices, and most Android devices all support modern crypto and a default-secure behavior.
You should be able to disable this by changing the behavior of GnuTLS on your system. Be warned this may break other things. You should be able to create a file /etc/gnutls/config with the following contents:
Thanks for that info. It’s not old browsers that concern me; it’s modern versions of POODLE that would negotiate a TLS downgrade. My pentesting indicates the cockpit ws seems vulnerable to this (does not implement TLS_FALLBACK_SCSV).