ThinLinc uses GnuTLS for Web Access and Web Admin. By default, it allows TLS versions 1.0, 1.1, 1.2 and 1.3:
https://www.cendio.com/resources/docs/tag/gnutls-priorities-standard.html
In some cases, you might want to harden your configuration by, for example, only allowing TLS 1.2 and TLS 1.3. This can be achieved by modifying ThinLinc configuration. The configuration parameters are called /webaccess/gnutls_priority and /tlwebadm/gnutls_priority and all protocol versions apart from TLS 1.2 and TLS 1.3 can be removed like this:
$ sudo tl-config
/webaccess/gnutls_priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
$ sudo tl-config
/tlwebadm/gnutls_priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
$ sudo systemctl restart tlwebaccess.service tlwebadm.service
The change can then be verified, for example, for Web Access by using nmap like this:
$ nmap --script ssl-enum-ciphers -p 300 <hostname_of_thinlinc_server>
And for Web Admin:
$ nmap --script ssl-enum-ciphers -p 1010 <hostname_of_thinlinc_server>
Below is example output when only TLS 1.2 and TLS 1.3 is allowed:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-12 13:37 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
300/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_CCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Note that, ThinLinc will always prefer the most secure version of TLS when there is a choice.