TLSv1 on CentOS-8

Tomas Mraz tmraz at redhat.com
Fri Apr 17 15:17:47 UTC 2020


It will be possible via Custom crypto policies in 8.2 release.

It can be solved only in a hackish way on 8.1.

You can manually edit /etc/crypto-policies/back-ends/openssl*.config
files however that will not survive further runs of update-crypto-
policies or package updates.

Or you could modify the /etc/pki/tls/openssl.cnf:
Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
line in it and insert something like:

CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

after that include line.

This will override the policy. However then it will be overridden even
after you switch the system to another mode or if you update the system
and new policy (with adjustments and fixes) is provided in the updated
packages.

Regards,
Tomas

On Fri, 2020-04-17 at 15:39 +0100, Junaid Mukhtar wrote:
> Hi Tomas
> 
> Is it possible to enable legacy protocols/ciphers but disable only
> one. In particular we want RC4-SHA to be disable
> 
> --------
> Regards,
> Junaid
> 
> 
> On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <
> junaid.mukhtar at gmail.com> wrote:
> > Thanks a lot; It really helped
> > 
> > --------
> > Regards,
> > Junaid
> > 
> > 
> > On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <tmraz at redhat.com>
> > wrote:
> > > On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:
> > > > Hi Team
> > > > 
> > > > I am trying to enable TLSv1 on CentOS-8. We don't have the
> > > ability to
> > > > upgrade the server unfortunately so we need to enable TLSv1
> > > with
> > > > weak-ciphers on OpenSSL. 
> > > > 
> > > > I have tried to build the OpenSSL version manually using
> > > switches
> > > > "./config --prefix=/usr/local/openssl --
> > > openssldir=/usr/local/openssl 
> > > > shared enable-weak-ssl-ciphers enable-deprecated enable-rc4
> > > enable-
> > > > tls1 zlib" which ran successfully 
> > > > 
> > > > [root at 2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version
> > > > OpenSSL 1.1.1c  28 May 2019
> > > > 
> > > > 
> > > > But i am still not able to run the "openssl s_client -connect "
> > > > command without specifying -tls1 in it. Build accepts the weak-
> > > > ciphers but not the tls1 version.
> > > > 
> > > > Can someone please help me with this?
> > > 
> > > You should not need to recompile openssl or anything. 
> > > 
> > > Just run:
> > > 
> > > update-crypto-policies --set LEGACY
> > > 
> > > and restart the service that is supposed to be providing the TLS1
> > > server or reboot the machine.
> > > 
> > > The LEGACY crypto policy purpose is exactly for re-enabling some
> > > of the
> > > not-up-to-date protocols and crypto algorithms.
> > > 
-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




More information about the openssl-users mailing list