Thanks Rob
My problem was which of the various server.xmls instances is pki-tomcat using. However I think I have worked it out:
"ps -ef | grep tomcat" shows that catalina.base=/var/lib/pki/pki-tomcat.
The directory /var/lib/pki/pki-tomcat/conf is a link to /etc/pki/pki-tomcat
i.e the "active" server.xml (and the one I need to edit) is /etc/pki/pki-tomcat/server.xml. Thankfully, this is the instance with the explicit list for sslRangeCiphers
Could you be more specific about "we don't recommend mixing packages between OS releases"?
Is one of the packages I listed not the expected version? We have not knowingly fiddled around with the package versions.
However, looking at the yum history, when I last updated ipa-server in January 2019, the update aborted with
"warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet failed, signal 2", so this might account for a package not being upgraded as expected.
"warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet failed, signal 2", so this might account for a package not being upgraded as expected.
Cheers
Chris
----- Original message -----
From: Rob Crittenden via FreeIPA-users <[email protected]>
To: FreeIPA users list <[email protected]>
Cc: Christopher Lamb <[email protected]>, Rob Crittenden <[email protected]>
Subject: [Freeipa-users] Re: Configuring SSL Ciphers for FreeIPA / DogTag on port 8443
Date: Wed, Mar 13, 2019 1:40 PM
Christopher Lamb via FreeIPA-users wrote:
> Hi
>
> A recent security scan has shown that our FreeIPA server is using 3DES
> SSL ciphers on port 8443, which I understand to be used by the DogTag
> PKI component of IPA.
>
> The question is, how can I configure the SSL Ciphers used by DogTag (e.g
> to remove 3DES ciphers)?
>
> I have found several files configuration files which initially look
> promising
>
> 1) /usr/share/pki/server/conf/ciphers.info
> This has defaults for the setting sslRangeCiphers, but I guess this is
> over-ridden by one of the configs below. Interestingly this file seems
> to disable all 3DES ciphers.
>
> 2) /usr/share/pki/server/conf/server.xml
> This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS,
> which I have no idea where they come from.
> sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
> sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
> sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
>
> 3) /etc/pki/pki-tomcat/server.xml
> This file has an explicit list of ciphers
> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
>
> However I am not sure if this file, or 2) above is being used by DogTag.
>
> We are running:
> DogTag on Apache Tomcat/7.0.76
> pki-server 10.5.9-6
> ipa-server 4.6.4
> OEL 7.2 (Maipo)
server.xml is the way to change this. Replace the + with a - and restart
the service. You'll need to make this change on all masters with a CA,
and all future masters with a CA.
As an aside, generally speaking we don't recommend mixing packages
between OS releases.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
