[Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite

[Martin Basti]

https://fedorahosted.org/freeipa/ticket/5684

patch attached

From 5eca2364df5d0723c5f87de02d53db3e943ed2c0 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 3 Mar 2016 17:39:34 +0100
Subject: [PATCH] Configure 389ds with "default" cipher suite

nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684
---
 install/updates/20-sslciphers.update | 2 +-
 ipaserver/install/dsinstance.py      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
index b0c952f498bc89568029f1d01eaded4db1371c76..62e34a501331fcb5cf244a7858ec281c78abbf43 100644
--- a/install/updates/20-sslciphers.update
+++ b/install/updates/20-sslciphers.update
@@ -2,5 +2,5 @@
 # the result of this update will be that all ciphers
 # provided by NSS which ar not weak will be enabled
 dn: cn=encryption,cn=config
-only:nsSSL3Ciphers: +all
+only:nsSSL3Ciphers: default
 addifnew:allowWeakCipher: off
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c54b01da7687d5812790518a2b8e00256001e5e..741dda91f3ceb6b4aff3419790f746d69adf5e16 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -777,7 +777,7 @@ class DsInstance(service.Service):
         conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
@@ -1240,7 +1240,7 @@ class DsInstance(service.Service):
         conn.do_external_bind('root')
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
-- 
2.5.0


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code