https://fedorahosted.org/freeipa/ticket/5684
patch attached
From 5eca2364df5d0723c5f87de02d53db3e943ed2c0 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 3 Mar 2016 17:39:34 +0100 Subject: [PATCH] Configure 389ds with "default" cipher suite nsSSLCiphers: "default" provides only secure ciphers that should be used when connecting to DS https://fedorahosted.org/freeipa/ticket/5684 --- install/updates/20-sslciphers.update | 2 +- ipaserver/install/dsinstance.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update index b0c952f498bc89568029f1d01eaded4db1371c76..62e34a501331fcb5cf244a7858ec281c78abbf43 100644 --- a/install/updates/20-sslciphers.update +++ b/install/updates/20-sslciphers.update @@ -2,5 +2,5 @@ # the result of this update will be that all ciphers # provided by NSS which ar not weak will be enabled dn: cn=encryption,cn=config -only:nsSSL3Ciphers: +all +only:nsSSL3Ciphers: default addifnew:allowWeakCipher: off diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 0c54b01da7687d5812790518a2b8e00256001e5e..741dda91f3ceb6b4aff3419790f746d69adf5e16 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -777,7 +777,7 @@ class DsInstance(service.Service): conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) @@ -1240,7 +1240,7 @@ class DsInstance(service.Service): conn.do_external_bind('root') mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"), (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) -- 2.5.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code