Configure TLS cipher suites from client side

[IsmaRG]

Hi everyone,

I was wondering how to configure specific TLS cipher suites to be offered by my CentOS system from the client side, restricting them to the ones I have chosen.

Thank you.

[TrevorH]

What CentOS version?
Which specific protocol/daemon are you asking about? httpd? nginx? sshd? something else?

[IsmaRG]

System version is CentOS Stream 9. I want to restrict the cipher suites at system level.

NOTE: I want to restrict the cipher suites used from the client side.

[TrevorH]

`man update-crypto-policies` may help

[BShT]

If you set a restrictive server-side configuration, the client is forced to use

[IsmaRG]

Hi all,

I need to restrict the cipher suites from client side because I dont have access to server´s configuration.

I already used update-crypto-policies command, but my system is still offering 31 cipher suites in Client Hello.

[BShT]

/etc/crypto-policies/back-ends/openssh.config

[jlehtone]

31 cipher suites in Client Hello.

What is "Client Hello"?

The man update-crypto-policies lists these back-ends:
• GnuTLS library (GnuTLS, SSL, TLS)
• OpenSSL library (OpenSSL, SSL, TLS)
• NSS library (NSS, SSL, TLS)
• OpenJDK (java-tls, SSL, TLS)
• Libkrb5 (krb5, kerberos)
• BIND (BIND, DNSSec)
• OpenSSH (OpenSSH, SSH)
• Libreswan (libreswan, IKE, IPSec)
• libssh (libssh, SSH)

Does the "Client Hello" use one of these? If not, then you have to configure it in whatever way it is configured.


Note though that if the user can supply config for the client -- for example user of 'ssh' can do so -- then your system config is a mere default and not a strict restriction.

[IsmaRG]

With "Client Hello" I meant Client Hello from TLS Handshake. I tried modifying every backend and doesn´t seem to work, my system is still offering 31 cipher suites.

[TrevorH]

So back to the question I asked first of all, which service are you trying to change?