Christopher Lamb via FreeIPA-users wrote: > Thanks Rob > > My problem was which of the various server.xmls instances is pki-tomcat > using. However I think I have worked it out: > > "ps -ef | grep tomcat" shows that catalina.base=/var/lib/pki/pki-tomcat. > > The directory /var/lib/pki/pki-tomcat/conf is a link to /etc/pki/pki-tomcat > > i.e the "active" server.xml (and the one I need to edit) is > /etc/pki/pki-tomcat/server.xml. Thankfully, this is the instance with > the explicit list for sslRangeCiphers > > Could you be more specific about "we don't recommend mixing packages > between OS releases"? > > Is one of the packages I listed not the expected version? We have not > knowingly fiddled around with the package versions. > > However, looking at the yum history, when I last updated ipa-server in > January 2019, the update aborted with > "warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet > failed, signal 2", so this might account for a package not being > upgraded as expected.
You specified OEL 7.2 as the release you are using. 4.6.4 was released with RHEL 7.6. rob > > Cheers > > Chris > > > > > > > ----- Original message ----- > From: Rob Crittenden via FreeIPA-users > <[email protected]> > To: FreeIPA users list <[email protected]> > Cc: Christopher Lamb <[email protected]>, Rob Crittenden > <[email protected]> > Subject: [Freeipa-users] Re: Configuring SSL Ciphers for FreeIPA / > DogTag on port 8443 > Date: Wed, Mar 13, 2019 1:40 PM > > Christopher Lamb via FreeIPA-users wrote: > > Hi > > > > A recent security scan has shown that our FreeIPA server is using 3DES > > SSL ciphers on port 8443, which I understand to be used by the DogTag > > PKI component of IPA. > > > > The question is, how can I configure the SSL Ciphers used by > DogTag (e.g > > to remove 3DES ciphers)? > > > > I have found several files configuration files which initially look > > promising > > > > 1) /usr/share/pki/server/conf/ciphers.info > > This has defaults for the setting sslRangeCiphers, but I guess this is > > over-ridden by one of the configs below. Interestingly this file seems > > to disable all 3DES ciphers. > > > > 2) /usr/share/pki/server/conf/server.xml > > This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS, > > which I have no idea where they come from. > > sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" > > sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" > > sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" > > > > 3) /etc/pki/pki-tomcat/server.xml > > This file has an explicit list of ciphers > > > > sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" > > > > However I am not sure if this file, or 2) above is being used by > DogTag. > > > > We are running: > > DogTag on Apache Tomcat/7.0.76 > > pki-server 10.5.9-6 > > ipa-server 4.6.4 > > OEL 7.2 (Maipo) > > server.xml is the way to change this. Replace the + with a - and restart > the service. You'll need to make this change on all masters with a CA, > and all future masters with a CA. > > As an aside, generally speaking we don't recommend mixing packages > between OS releases. > > rob > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
