After pulling down a mod_nss upgrade, the nss.conf.rpmnew file has some additional content. The diff is below. Should I merge in the new NSSCipherSuite/NSSProtocol changes on an IPA system or leave it as is?
[root@ipa1 ~]# diff -u /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.rpmnew --- /etc/httpd/conf.d/nss.conf 2013-10-06 11:58:57.297000000 -0500 +++ /etc/httpd/conf.d/nss.conf.rpmnew 2013-10-24 16:22:49.000000000 -0500 @@ -14,9 +14,9 @@ # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" +# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443" # -Listen 443 +Listen 8443 ## ## SSL Global Context @@ -35,7 +35,7 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" +NSSPassPhraseDialog builtin # Pass Phrase Helper: @@ -73,21 +73,21 @@ # # Only renegotiate if the peer's hello bears the TLS renegotiation_info # extension. Default off. -NSSRenegotiation on +NSSRenegotiation off # Peer must send Signaling Cipher Suite Value (SCSV) or # Renegotiation Info (RI) extension in ALL handshakes. Default: off -NSSRequireSafeNegotiation on +NSSRequireSafeNegotiation off ## ## SSL Virtual Host Context ## -<VirtualHost _default_:443> +<VirtualHost _default_:8443> # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs" -#ServerName www.example.com:443 +#ServerName www.example.com:8443 #ServerAdmin [email protected] # mod_nss can log to separate log files, you can choose to do that if you'd like @@ -113,7 +113,16 @@ # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,- rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha, +fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,- rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,- ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha, +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha, +ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha, +ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha, +ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,- echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha, +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha -NSSProtocol SSLv3,TLSv1 +# SSL Protocol: +# Cryptographic protocols that provide communication security. +# NSS handles the specified protocols as "ranges", and automatically +# negotiates the use of the strongest protocol for a connection starting +# with the maximum specified protocol and downgrading as necessary to the +# minimum specified protocol that can be used between two processes. +# Since all protocol ranges are completely inclusive, and no protocol in the +# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" +# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". +NSSProtocol SSLv3,TLSv1.0,TLSv1.1 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. @@ -214,6 +223,5 @@ #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -Include conf.d/ipa-rewrite.conf </VirtualHost> -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
