Linux – How to globally disable protocols < TLS 1.2 at openssl library level

configurationlinuxopensslssl

I've been asked to disable the use of all SSL, and TLS < TLS 1.2, globally on one of my Centos boxes. Its been suggested that I should be able to do this in the openssl library.

I'm reasonably familiar with SSL/TLS, ciphersuites, etc, but I can't see how to do this in openssl.cnf. The documentation I find is clear on how to do this for Apache, or how to limit available protocol version within an application, but that's not what I'm after. I'm not running a web server.

Short of modifying the source to filter ciphersuites and protocols, then rebuilding, is there a way to do this?

Best Answer

MinProtocol in the config file is relatively new to OpenSSL, I think 1.1.1.

However, TLS is messier than that, this isn't an easy answer. OpenSSL MinProtocol only is available to relatively new distro versions like EL8. The application may use the API in a way that does not use openssl.cnf, possibly using its own configuration. Or use a different TLS like gnutls or NSS.

It still is a good idea to read the documentation, maybe the source code, of the software you use for any TLS related configuration. Web servers historically exposed more of the protocol configuration. But they are not the only software where TLS is more fine grained than on and off.

Then test if lesser TLS can be negotiated, during a packet capture. Tools exist to help with this.

Example

Define a custom log_format in the http context (e.g. /etc/nginx/nginx.conf):

log_format combined_ssl '$remote_addr - $remote_user [$time_local] '
                        '$ssl_protocol/$ssl_cipher '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';

The above is based on the default combined format with an additional '$ssl_protocol/$ssl_cipher ' line.

Then add in a server context (with SSL enabled) the access_log directive with the custom log format:

server {
  listen 443;
  ssl on;
  access_log /var/log/nginx/access.log combined_ssl;
  [...]
}

After restarting nginx, logs appear like:

10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 "GET / HTTP/1.1" 200 1234 "-" "User agent bla"

Nginx – Why is Internet Explorer 11 unable to connect to HTTPS sites when TLS 1.2 is enabled

Do you also have SSL 2.0 enabled?

According to http://support.microsoft.com/en-us/kb/2851628 "SSL 2.0 and TLS 1.2 are not compatible with each other in Windows 7 and later operating systems. To use client-side certificates to establish an HTTPS connection over TLS 1.2, you must disable SSL 2.0".

Best Answer

Related Solutions

nginx security logging tls ssl – Log Used SSL/TLS Protocol and Ciphersuite in nginx

Example

Nginx – Why is Internet Explorer 11 unable to connect to HTTPS sites when TLS 1.2 is enabled

Related Topic