Enable TLS1.2 on Cockpit Server

TLS Version 1.1 Protocol Deprecated (157288)

Your security team has just informed you that TLS Version 1.1 Protocol Deprecated (157288) was found on your cockpit server on port 9090. What do you do? In this article, we will explore how to mitigate this Tenable finding.

Table of Contents


In today’s world, securing our online communication and protecting sensitive information has become a necessity. One of the most critical components of securing communication is Transport Layer Security (TLS), which is the successor to the Secure Sockets Layer (SSL) protocol. In this article, we will discuss how to enable TLS1.2 on a RHEL7/CentOS7 Cockpit server.

Brief History

SSL was initially developed by Netscape in the mid-1990s as a way to secure online transactions. However, it was eventually found to have several vulnerabilities, leading to the development of TLS as its successor. The latest version of TLS is TLS1.3, but we will focus on enabling TLS1.2 in this article.

What is SSL/TLS?

SSL/TLS is a protocol used for encrypting and securing data communication over the internet. It provides a secure channel between two communicating endpoints, ensuring that the data exchanged between them is confidential and tamper-proof.

What is Secure Renegotiation?

Secure Renegotiation is a feature in TLS that allows two parties to renegotiate the encryption keys without revealing the plain-text data being transmitted. This feature is designed to prevent attackers from intercepting and tampering with the data being exchanged during the renegotiation process.

Introducing Tenable Plugin: TLS Version 1.1 Protocol Deprecated (157288)

This finding indicates that a remote service on your machine is accepting connections encrypted using TLS1.1.

TLS Version 1.1 Protocol Deprecated (157288)

Procedure for Enabling TLS1.2

Step 1: Install OpenSSL package

Before we can enable TLS1.2, we need to make sure that OpenSSL is installed on our server. To do this, we can run the following command:

					$ sudo yum install openssl -y

Step 2: Create directory

Next, create the /etc/systemd/system/cockpit.service.d directory with the following command:

					$ sudo mkdir -p /etc/systemd/system/cockpit.service.d

Step 3: Create ssl.conf file

Using your favorite text editor or vim, open a file called ssl.conf under the /etc/systemd/system/cockpit.service.d directory.

					$ sudo vim /etc/systemd/system/cockpit.service.d/ssl.conf

Step 4: Populate the ssl.conf

Copy and paste the following entries to the ssl.conf file. This will ensure that only the TLS1.2 protocol is enabled by eliminating all the others version.



The Breakdown

[Service]: This is a section header in a systemd unit file that defines a new service or modifies an existing one.

Environment: This option sets environment variables for the service.

G_TLS_GNUTLS_PRIORITY: This is an environment variable that sets the priority list of SSL/TLS protocols and ciphersuites used by the GnuTLS library.

SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1: This is the value of the G_TLS_GNUTLS_PRIORITY environment variable. It specifies the SSL/TLS protocol versions to use and their preferred order, as well as any versions to exclude.

  • SECURE128 specifies that SSL/TLS connections should use only strong ciphersuites that provide at least 128-bit encryption.
  • :-VERS-SSL3.0 specifies that SSLv3.0 should not be used.
  • :-VERS-TLS1.0 specifies that TLS1.0 should not be used.
  • :-VERS-TLS1.1 specifies that TLS1.1 should not be used.

Overall, these entries configure the GnuTLS library to use only strong SSL/TLS ciphersuites with at least 128-bit encryption, and to exclude SSLv3.0, TLS1.0, and TLS1.1 from the list of supported protocols. This helps to ensure that your Cockpit server is using TLS version 1.2 and strong ciphersuites.

Step 5: Restart Cockpit Service

In order to implement the ssl.conf file, it is essential to execute a daemon-reload and restart the cockpit service.

					$ sudo systemctl daemon-reload; sudo systemctl restart cockpit

Step 6: Verify Changes

After enabling TLS1.2 on your RHEL7/CentOS7 Cockpit server and updating the configuration file, you need to verify that the new protocol is indeed being used.

To verify that TLS1.2 is enabled and in use, you can use the OpenSSL tool by running the following command:

					$ openssl s_client -connect localhost:9090 -tls1_2

This command initiates a TLS1.2 connection to your Cockpit server on port 9090 and displays detailed information about the SSL/TLS certificate and the connection parameters.

Additionally, you can also verify the SSL/TLS version used in your web browser when accessing the Cockpit web interface. Simply click on the padlock icon in the browser’s address bar, and you should see the version of SSL/TLS used for the connection.

Step 7: Launch Remediation Scan

By verifying that TLS1.2 is enabled and in use, you can ensure that your Cockpit server is using a secure version of the TLS protocol. Finally, launch a remediation scan in Tenable and confirm the finding has been mitigated.

TLS Version 1.1 Protocol Deprecated (157288)

Congratulations! You have successfully enabled TLS1.2 on your RHEL7/CentOS7 Cockpit server.


We have reviewed how to enable TLS1.2 on a RHEL7/CentOS7 Cockpit server. By following the steps outlined in this article, you can ensure that your server is using the latest and most secure version of the TLS protocol, providing a secure channel for your online communication.

Remember to keep your SSL/TLS certificate up-to-date and verify its validity to ensure that it’s trusted by your clients. Was this article helpful to you? If so, leave us a comment below and share!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *