TLS 1.1 コックピット ポート 9090 を無効にする方法

この投稿は、TLS 1.1 コックピット ポート 9090 を無効にするのに役立ちます。

1. 以下を含むファイル /etc/systemd/system/cockpit.service.d/ssl.conf を作成します。

[Service]
Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1

2. systemd デーモンをリロードします:

# systemctl daemon-reload

3. コックピット サービスを再起動します:

# systemctl restart cockpit

4. プロトコル tls1_1 を確認します:

# echo test | openssl s_client -connect localhost:9090 -tls1_1CONNECTED(00000003)
139687924594576:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported    ==> Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1595495230
Timeout : 7200 (sec)
Verify return code: 0 (ok)

5. プロトコル tls1_2 を確認します:

# echo test | openssl s_client -connect localhost:9090 -tls1_2...No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1326 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported  -->  Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3B54CEBA5BA27F851E55409A491540E7A0B6BCB7657B9036D67BB6E82B5F55B5
Session-ID-ctx:
Master-Key: 5AC8E8F409895C2020C87F4598DCF09465661431DAE03FDDEC0EC69FE7F8320FE14B79BA2D6A902A745AE00E265462D0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1595495263
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
DONE