Configure TLS cipher suites from client side
Configure TLS cipher suites from client side
Hi everyone,
I was wondering how to configure specific TLS cipher suites to be offered by my CentOS system from the client side, restricting them to the ones I have chosen.
Thank you.
I was wondering how to configure specific TLS cipher suites to be offered by my CentOS system from the client side, restricting them to the ones I have chosen.
Thank you.
Re: Configure TLS cipher suites from client side
What CentOS version?
Which specific protocol/daemon are you asking about? httpd? nginx? sshd? something else?
Which specific protocol/daemon are you asking about? httpd? nginx? sshd? something else?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Configure TLS cipher suites from client side
System version is CentOS Stream 9. I want to restrict the cipher suites at system level.
NOTE: I want to restrict the cipher suites used from the client side.
NOTE: I want to restrict the cipher suites used from the client side.
Re: Configure TLS cipher suites from client side
`man update-crypto-policies` may help
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Configure TLS cipher suites from client side
If you set a restrictive server-side configuration, the client is forced to use
Re: Configure TLS cipher suites from client side
Hi all,
I need to restrict the cipher suites from client side because I dont have access to server´s configuration.
I already used update-crypto-policies command, but my system is still offering 31 cipher suites in Client Hello.
I need to restrict the cipher suites from client side because I dont have access to server´s configuration.
I already used update-crypto-policies command, but my system is still offering 31 cipher suites in Client Hello.
Re: Configure TLS cipher suites from client side
/etc/crypto-policies/back-ends/openssh.config
Re: Configure TLS cipher suites from client side
What is "Client Hello"?
The man update-crypto-policies lists these back-ends:
• GnuTLS library (GnuTLS, SSL, TLS)
• OpenSSL library (OpenSSL, SSL, TLS)
• NSS library (NSS, SSL, TLS)
• OpenJDK (java-tls, SSL, TLS)
• Libkrb5 (krb5, kerberos)
• BIND (BIND, DNSSec)
• OpenSSH (OpenSSH, SSH)
• Libreswan (libreswan, IKE, IPSec)
• libssh (libssh, SSH)
Does the "Client Hello" use one of these? If not, then you have to configure it in whatever way it is configured.
Note though that if the user can supply config for the client -- for example user of 'ssh' can do so -- then your system config is a mere default and not a strict restriction.
Re: Configure TLS cipher suites from client side
With "Client Hello" I meant Client Hello from TLS Handshake. I tried modifying every backend and doesn´t seem to work, my system is still offering 31 cipher suites.
Re: Configure TLS cipher suites from client side
So back to the question I asked first of all, which service are you trying to change?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke