On 2016-01-08 13:26, Martin Kosek wrote: > Hi Fraser and other X.509 SMEs, > > I wanted to check with you on what we have or plan to have with respect to > certificate/cipher strength in FreeIPA. > > When I visit the FreeIPA public demo for example, I usually see following > errors with recent browsers: > > * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher > suite. > - The connection uses TLS 1.2 > - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message > authentication and RSA as the key exchange mechanism > > I usually do not see the common > * Certificate chain contains a certificate signed with SHA-1 > error, but I am not sure if we are covered for this one. > > > When I tested the FreeIPA demo with > https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org > (and ignore the trust issues), we get the mark B with following warnings: > > * This server accepts RC4 cipher, but only with older protocol versions. Grade > capped to B. > > * The server does not support Forward Secrecy with the reference browsers. > > > What do we miss to turn out Grade A, which is obviously something expected > from > security solution like FreeIPA? Is it just about ECC support > (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to > our > default certificate profiles?
The cert has another issue. It relies on Subject CN for host name verification. This feature has been deprecated by RFC 2818 more than a decade ago. Instead of Subject CN modern certs should use dNSName in SubjectAltName x509v3 extension. https://fedorahosted.org/pki/ticket/1464 https://github.com/shazow/urllib3/issues/497 Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code