Hi All,
how to disable TLS 1.0 and TLS 1.1 in promxox 3 and proxmox 4 version.
It is a growing security risk , let us know where we can alter this.
Which attack isn't mitigated in our TLS 1.X usage?
AFAIK, all currently known attack vectors on TLS 1.0, 1.1 aren't universal but may be just used if specific settings are used.
Downgrade to an now insecure protocol (SSLv2/v3) cannot be done.
TLS compression is disabled, so vectors using it are made unusable.
Certificate Pinning is done since 4.3-11, which makes man-in-the-middle attacks way harder.
And if current clients are used TLSv1.2 will be used one way or the other.
But, yes we can probably disable TLSv1 and even TLSv1.1 (all clients which support v1.1 support v1.2 too, AFAIS) in the near future.
To not accept TLSv1 anv TLSv1.1, while supporting TLSv1.3 once included stable in openssl add this to the "/etc/default/pveproxy" file:
Code:
CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
and restart pveproxy.
Check with:
if it was applied (sslscan isn't installed by default: on debian do: `apt install sslscan`)
BTW. we strongly suggest to upgrade to a newer Version, as running an EOL version is also a big security risk, more than TLSv1.