On 01/08/2016 02:24 PM, Christian Heimes wrote: > On 2016-01-08 13:26, Martin Kosek wrote: >> Hi Fraser and other X.509 SMEs, >> >> I wanted to check with you on what we have or plan to have with respect to >> certificate/cipher strength in FreeIPA. >> >> When I visit the FreeIPA public demo for example, I usually see following >> errors with recent browsers: >> >> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher >> suite. >> - The connection uses TLS 1.2 >> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message >> authentication and RSA as the key exchange mechanism >> >> I usually do not see the common >> * Certificate chain contains a certificate signed with SHA-1 >> error, but I am not sure if we are covered for this one. >> >> >> When I tested the FreeIPA demo with >> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org >> (and ignore the trust issues), we get the mark B with following warnings: >> >> * This server accepts RC4 cipher, but only with older protocol versions. >> Grade >> capped to B. >> >> * The server does not support Forward Secrecy with the reference browsers. >> >> >> What do we miss to turn out Grade A, which is obviously something expected >> from >> security solution like FreeIPA? Is it just about ECC support >> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to >> our >> default certificate profiles? > > The cert has another issue. It relies on Subject CN for host name > verification. This feature has been deprecated by RFC 2818 more than a > decade ago. Instead of Subject CN modern certs should use dNSName in > SubjectAltName x509v3 extension. > > https://fedorahosted.org/pki/ticket/1464 > https://github.com/shazow/urllib3/issues/497
Right. Fraser should have it in his queue already: https://fedorahosted.org/freeipa/ticket/4970 Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
