[Freeipa-users] Re: Configuring SSL Ciphers for FreeIPA / DogTag on port 8443

[Rob Crittenden via FreeIPA-users]

Christopher Lamb via FreeIPA-users wrote:
> Hi
>  
> A recent security scan has shown that our FreeIPA server is using 3DES
> SSL ciphers on port 8443, which I understand to be used by the DogTag
> PKI component of IPA.
>  
> The question is, how can I configure the SSL Ciphers used by DogTag (e.g
> to remove 3DES ciphers)?
>  
> I have found several files configuration files which initially look
> promising
>  
> 1) /usr/share/pki/server/conf/ciphers.info
> This has defaults for the setting sslRangeCiphers, but I guess this is
> over-ridden by one of the configs below. Interestingly this file seems
> to disable all 3DES ciphers.
> 
> 2) /usr/share/pki/server/conf/server.xml
> This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS,
> which I have no idea where they come from.
> sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
> sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
> sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
> 
> 3) /etc/pki/pki-tomcat/server.xml
> This file has an explicit list of ciphers
> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
>  
> However I am not sure if this file, or 2) above is being used by DogTag.
> 
> We are running:
> DogTag on Apache Tomcat/7.0.76
> pki-server 10.5.9-6
> ipa-server 4.6.4
> OEL 7.2 (Maipo)

server.xml is the way to change this. Replace the + with a - and restart
the service. You'll need to make this change on all masters with a CA,
and all future masters with a CA.

As an aside, generally speaking we don't recommend mixing packages
between OS releases.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org