TLSv1 on CentOS-8

Junaid Mukhtar junaid.mukhtar at gmail.com
Tue Apr 21 15:06:04 UTC 2020 

Hi Tomas/Team

I have managed to block the RC4 and enable tlsv1 as per our requirements.

We have a requirement to match cipher list on the internal server to match
the native browser cipher list as shown by the
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

I have tried setting up different combinations on the CipherString but none
helped. Do you have any suggestions as to how to do achieve this?

--------
Regards,
Junaid


On Fri, Apr 17, 2020 at 6:22 PM Tomas Mraz <tmraz at redhat.com> wrote:

> On Fri, 2020-04-17 at 13:03 -0400, Viktor Dukhovni wrote:
> > On Fri, Apr 17, 2020 at 05:17:47PM +0200, Tomas Mraz wrote:
> >
> > > Or you could modify the /etc/pki/tls/openssl.cnf:
> > > Find the .include /etc/crypto-policies/back-ends/opensslcnf.config
> > > line in it and insert something like:
> > >
> > > CipherString =
> > > @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:!DES:!RC2:!RC4:
> > > !IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
> >
> > How did this particular contraption become a recommended cipherlist?
>
> To explain - this is basically autogenerated value from the crypto
> policy definiton of the LEGACY crypto policy with just added the !RC4.
>
>
> > What's wrong with "DEFAULT"?  In OpenSSL 1.1.1 it already excludes
> > RC4 (if RC4 is at all enabled at compile time):
>
> Nothing wrong with DEFAULT. For manual configuration. This is however
> something that is autogenerated.
>
> >     $ openssl ciphers -v 'COMPLEMENTOFDEFAULT+RC4'
> >     ECDHE-ECDSA-RC4-SHA     TLSv1 Kx=ECDH     Au=ECDSA Enc=RC4(128)
> > Mac=SHA1
> >     ECDHE-RSA-RC4-SHA       TLSv1
> > Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
> >     RC4-SHA                 SSLv3
> > Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
> >
> > I find too many people cargo-culting poorly thought cipher lists from
> > some random HOWTO.  Over optimising your cipherlist is subject to
> > rapid bitrot, resist the temptation...
>
> Yeah, I should have probably suggested just: CipherString = DEFAULT
>
> There is not much point in being as close to the autogenerated policy
> as possible for this particular user's use-case.
>
> --
> Tomáš Mráz
> No matter how far down the wrong road you've gone, turn back.
>                                               Turkish proverb
> [You'll know whether the road is wrong if you carefully listen to your
> conscience.]
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200421/266da85a/attachment-0001.html>

More information about the openssl-users mailing list