Force TLS 1.2 system wide for all applications?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
The organization I work for has lots of servers that run Linux.
We have recently been tasked with ensuring TLS 1.2 is used for all outbound connections for all our apps, regardless of the development platform our apps are written in, which varies quite a bit (Ruby/Node/Java/PHP)
Is there a way at the system level to force everything to use TLS 1.2?
linux security openssl ssl
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
asked Jan 31 at 17:10
Brad Parks
400321
add a comment |Â
up vote
1
down vote
favorite
The organization I work for has lots of servers that run Linux.
We have recently been tasked with ensuring TLS 1.2 is used for all outbound connections for all our apps, regardless of the development platform our apps are written in, which varies quite a bit (Ruby/Node/Java/PHP)
Is there a way at the system level to force everything to use TLS 1.2?
linux security openssl ssl
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
asked Jan 31 at 17:10
Brad Parks
400321
2
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
The organization I work for has lots of servers that run Linux.
We have recently been tasked with ensuring TLS 1.2 is used for all outbound connections for all our apps, regardless of the development platform our apps are written in, which varies quite a bit (Ruby/Node/Java/PHP)
Is there a way at the system level to force everything to use TLS 1.2?
linux security openssl ssl
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
asked Jan 31 at 17:10
Brad Parks
400321
The organization I work for has lots of servers that run Linux.
We have recently been tasked with ensuring TLS 1.2 is used for all outbound connections for all our apps, regardless of the development platform our apps are written in, which varies quite a bit (Ruby/Node/Java/PHP)
Is there a way at the system level to force everything to use TLS 1.2?
linux security openssl ssl
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
asked Jan 31 at 17:10
Brad Parks
400321
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
edited Jan 31 at 17:15
Jeff Schaller
31.4k846105
31.4k846105
asked Jan 31 at 17:10
Brad Parks
400321
asked Jan 31 at 17:10
Brad Parks
400321
asked Jan 31 at 17:10
Brad Parks
400321
400321
2
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24
add a comment |Â
2
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24
2
2
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
System wide? No, because there is no centralised TLS configuration on Linux (intentionally), and on top of that you probably have at least two TLS implementations on each system (OpenSSL or LibreSSL for certain, and most likely GnuTLS as well).
Auditing everything is unfortunately the only real option here. However, once you've audited things for a given development platform, it should become really easy to check other applications on that platform (because you now know what a working connection setup sequence looks like).
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
add a comment |Â
up vote
0
down vote
Considering a particular connection to a specific service, you could probably setup something to ensure anything below TLSv1.2 is rejected.
But you can't do this on a system-wide level. It just does not apply in generic systems (desktops, servers, etc). Each piece of code that connects to a TLS service can use one of several shared libraries on the system, can use its own shared library, can use statically linked or compiled in code, etc.
However if you are also tasked with ensuring that your servers will only accept TLSv1.2 connections, then you can certainly do that since you control all your service endpoints - normally web servers:
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
answered Feb 19 at 17:48
Pedro
59429
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
System wide? No, because there is no centralised TLS configuration on Linux (intentionally), and on top of that you probably have at least two TLS implementations on each system (OpenSSL or LibreSSL for certain, and most likely GnuTLS as well).
Auditing everything is unfortunately the only real option here. However, once you've audited things for a given development platform, it should become really easy to check other applications on that platform (because you now know what a working connection setup sequence looks like).
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
add a comment |Â
up vote
3
down vote
accepted
System wide? No, because there is no centralised TLS configuration on Linux (intentionally), and on top of that you probably have at least two TLS implementations on each system (OpenSSL or LibreSSL for certain, and most likely GnuTLS as well).
Auditing everything is unfortunately the only real option here. However, once you've audited things for a given development platform, it should become really easy to check other applications on that platform (because you now know what a working connection setup sequence looks like).
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
System wide? No, because there is no centralised TLS configuration on Linux (intentionally), and on top of that you probably have at least two TLS implementations on each system (OpenSSL or LibreSSL for certain, and most likely GnuTLS as well).
Auditing everything is unfortunately the only real option here. However, once you've audited things for a given development platform, it should become really easy to check other applications on that platform (because you now know what a working connection setup sequence looks like).
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
System wide? No, because there is no centralised TLS configuration on Linux (intentionally), and on top of that you probably have at least two TLS implementations on each system (OpenSSL or LibreSSL for certain, and most likely GnuTLS as well).
Auditing everything is unfortunately the only real option here. However, once you've audited things for a given development platform, it should become really easy to check other applications on that platform (because you now know what a working connection setup sequence looks like).
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
edited Jan 31 at 21:04
Jeff Schaller
31.4k846105
31.4k846105
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
answered Jan 31 at 20:49
Austin Hemmelgarn
5,1441915
5,1441915
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
add a comment |Â
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
And maybe NSS. And maybe Java (and maybe BC). And ...?
– dave_thompson_085
Feb 1 at 2:25
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
@dave_thompson_085 Actually, probably NSS, as that's what RPM uses. Beyond that you also potentially have axTLS, mbedTLS (previously PolarSSL), Bouncy Castle (which I've not seen much use of myself), JSSE (Java's 'official' implementation), and the Erlang/OTP implementation.
– Austin Hemmelgarn
Feb 1 at 15:37
add a comment |Â
up vote
0
down vote
Considering a particular connection to a specific service, you could probably setup something to ensure anything below TLSv1.2 is rejected.
But you can't do this on a system-wide level. It just does not apply in generic systems (desktops, servers, etc). Each piece of code that connects to a TLS service can use one of several shared libraries on the system, can use its own shared library, can use statically linked or compiled in code, etc.
However if you are also tasked with ensuring that your servers will only accept TLSv1.2 connections, then you can certainly do that since you control all your service endpoints - normally web servers:
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
answered Feb 19 at 17:48
Pedro
59429
add a comment |Â
up vote
0
down vote
Considering a particular connection to a specific service, you could probably setup something to ensure anything below TLSv1.2 is rejected.
But you can't do this on a system-wide level. It just does not apply in generic systems (desktops, servers, etc). Each piece of code that connects to a TLS service can use one of several shared libraries on the system, can use its own shared library, can use statically linked or compiled in code, etc.
However if you are also tasked with ensuring that your servers will only accept TLSv1.2 connections, then you can certainly do that since you control all your service endpoints - normally web servers:
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
answered Feb 19 at 17:48
Pedro
59429
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Considering a particular connection to a specific service, you could probably setup something to ensure anything below TLSv1.2 is rejected.
But you can't do this on a system-wide level. It just does not apply in generic systems (desktops, servers, etc). Each piece of code that connects to a TLS service can use one of several shared libraries on the system, can use its own shared library, can use statically linked or compiled in code, etc.
However if you are also tasked with ensuring that your servers will only accept TLSv1.2 connections, then you can certainly do that since you control all your service endpoints - normally web servers:
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
answered Feb 19 at 17:48
Pedro
59429
Considering a particular connection to a specific service, you could probably setup something to ensure anything below TLSv1.2 is rejected.
But you can't do this on a system-wide level. It just does not apply in generic systems (desktops, servers, etc). Each piece of code that connects to a TLS service can use one of several shared libraries on the system, can use its own shared library, can use statically linked or compiled in code, etc.
However if you are also tasked with ensuring that your servers will only accept TLSv1.2 connections, then you can certainly do that since you control all your service endpoints - normally web servers:
- https://mozilla.github.io/server-side-tls/ssl-config-generator/
answered Feb 19 at 17:48
Pedro
59429
answered Feb 19 at 17:48
Pedro
59429
answered Feb 19 at 17:48
Pedro
59429
answered Feb 19 at 17:48
Pedro
59429
59429
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f421019%2fforce-tls-1-2-system-wide-for-all-applications%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
I'm tempted to say "no", barring a search & fix mission to find every installed instance of an SSL app/library. 3rd-party apps may bring their own copies of openSSL.
– Jeff Schaller
Jan 31 at 17:16
Yeah it seems like everything I read on this suggests doing it on an app by app basis, and pretty much implied that it had to be done that way. I thought I'd ask to make sure we're not missing it at some higher level. Thanks!
– Brad Parks
Jan 31 at 17:19
you may want some sort of network analysis tool so you can at least detect when something is using unacceptable TLS (wireshark and filter on "ssl" would be a slow way...)
– thrig
Jan 31 at 17:58
TLS can appear where you less expect it, including in RADIUS servers...do not forget the web servers too.
– Rui F Ribeiro
Jan 31 at 18:12
Why not IPSec your whole LAN?
– Neil McGuigan
Feb 22 at 19:24