Auerbach, Steven via FreeIPA-users wrote: > I have tried to set this server to clear SecureWorks Vulnerabilities. > This warning I do not understand. I have the following in nss.conf: > > # SSL Cipher Suite: > > # List the ciphers that the client is permitted to negotiate. > > # See the mod_nss documentation for a complete list. > > > > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha > > # SSL Protocol: > > NSSProtocol TLSv1.2 > > > > When I execute openssl s_client -connect 127.0.0.1:636 tlsv1 (or > tlsv1_1) I get a successful response of my certificate, a handshake, > and a 0 return code. SecureWorks reports SSL/TLS Server supports > TLSv1.0 port 636/tcp over SSL (LDAP port). What have I done wrong > here? Would the syntax > > NSSProtocol ALL +TLSv1.2 work better?
You are tweaking the Apache TLS configuration and testing the LDAP TLS port 636. You can set the minimum TLS version in LDAP with: $ ldapmodify -x -D 'cn=directory manager' -W LDAP Password: dn: cn=encryption,cn=config changetype: modify replace: sslVersionMin sslVersionMin: TLS1.2 ^D $ sudo systemctl restart dirsrv.target rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
