How to configure allowed ciphers and TLS versions in Cockpit

Resolution

Red Hat Enterprise Linux 7

• Create /etc/systemd/system/cockpit.service.d directory:
  # mkdir /etc/systemd/system/cockpit.service.d
• Create a file /etc/systemd/system/cockpit.service.d/ssl.conf with the following content:
  Raw

     [Service]
     Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
  

• If ciphers also need to be modified, for example, if requirements are for 128-bit and higher ciphers, the NORMAL string can be changed to SECURE128 which will require 128-bit and greater ciphers only:
  Raw

  # cat /etc/systemd/system/cockpit.service.d/ssl.conf
    [Service]
    Environment=G_TLS_GNUTLS_PRIORITY=SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
  

  Refer to SSL/TLS Usage and Priority strings for further information.
  Note that SSL3.0 and TLS1.0 must also be disabled. Even though they are disabled by default in Red Hat Enterprise Linux 7, creating the above file without specifying them will enable them.

• Save the file and continue with Common Steps below.

Red Hat Enterprise Linux 8

In Red Hat Enterprise Linux 8 the configuration is handled by the system-wide crypto policy and the G_TLS_GNUTLS_PRIORITY environment variable is not evaluated. The global crypto settings can be adjusted by using the update-crypto-policies command, see the Chapter 5 of Security Hardening for details.

If only the cockpit crypto settings needs to be adjusted, it can be excluded from the crypto policies.

cockpit uses the gnutls library as its SSL back-end, follow the next steps to create a cockpit specific gnutls configuration:

1. Create the gnutls.config file in a directory accessible to cockpit, e.g. /etc/cockpit/gnutls.config. The content should be in the form of a gnutls Priority String. The example below is the FUTURE crypto policy gnutls configuration string in Red Hat Enterprise Linux 8 at the time of writing this article.
   Raw

   SYSTEM=NONE:+MAC-ALL:-SHA1:-MD5:+GROUP-ALL:-GROUP-FFDHE2048:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-RSA-SHA224:-SIGN-DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+CIPHER-ALL:-AES-128-GCM:-AES-128-CCM:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-AES-256-CBC:-AES-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_HIGH
   

   The TLS versions and allowed ciphers can be adjusted in a similar way as for Red Hat Enterprise Linux 7.

   Refer to SSL/TLS Usage and Priority strings for further information.
   Note that SSL3.0 and TLS1.0 must also be disabled. Even though they are disabled by default in Red Hat Enterprise Linux 8, creating the above file without specifying them will enable them.

2. Create a cockpit.service systemd unit file override by running:
   Raw

   # systemctl edit cockpit.service
   

3. Add the following content, using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable to point gnutls to the file created in step 1.
   Raw

   [Service]
   Environment=GNUTLS_SYSTEM_PRIORITY_FILE=/etc/cockpit/gnutls.config
   

4. Save the file and continue with Common Steps below.

Common Steps

• Reload systemd and restart cockpit service:

    # systemctl daemon-reload
    # systemctl restart cockpit