Cockpit ciphersuite problems

[SixArt46]

Hi,

I want to disable the following ciphersuites for cockpit:
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_CCM
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CCM
• TLS_RSA_WITH_AES_256_GCM_SHA384

I have configured cockpit on port 19090 but I can't find a way to disable the ciphers. Cockpit is installed on Ubuntu 20.04.

Regards,
Dario

[martinpitt]

I assume you are talking about Cockpit's web server here. There's no special configuration for that, but you should be able to create a global gnutls config file with disabling ciphers.

If you want a cockpit specific config file, you can systemctl edit cockpit to set the
GNUTLS_SYSTEM_PRIORITY_FILE environment to another file.

(Untested)

[SixArt46]

Yes, cockpit's web server.

I create file /etc/ssl/certs/custom-gnutls-priorities with this string: NONE:+VERS-TLS1.3:%PROFILE_MEDIUM

I modified the service by adding the environment: Environment=GNUTLS_SYSTEM_PRIORITY_FILE=/etc/ssl/certs/custom-gnutls-priorities, I reloaded and restarted the service but with nmap I still see the tls1.2 ciphers.