After pulling down a mod_nss upgrade, the nss.conf.rpmnew file has some 
additional content.  The diff is below.  Should I merge in the new 
NSSCipherSuite/NSSProtocol changes on an IPA system or leave it as is?


[root@ipa1 ~]# diff -u /etc/httpd/conf.d/nss.conf 
/etc/httpd/conf.d/nss.conf.rpmnew
--- /etc/httpd/conf.d/nss.conf  2013-10-06 11:58:57.297000000 -0500
+++ /etc/httpd/conf.d/nss.conf.rpmnew   2013-10-24 16:22:49.000000000 -0500
@@ -14,9 +14,9 @@
 # standard HTTP port (see above) and to the HTTPS port
 #
 # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
-#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
+#       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
 #
-Listen 443
+Listen 8443
 
 ##
 ##  SSL Global Context
@@ -35,7 +35,7 @@
 #   Configure the pass phrase gathering process.
 #   The filtering dialog program (`builtin' is a internal
 #   terminal dialog) has to provide the pass phrase on stdout.
-NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
+NSSPassPhraseDialog  builtin
 
 
 #   Pass Phrase Helper:
@@ -73,21 +73,21 @@
 #
 # Only renegotiate if the peer's hello bears the TLS renegotiation_info
 # extension. Default off.
-NSSRenegotiation on
+NSSRenegotiation off
 
 # Peer must send Signaling Cipher Suite Value (SCSV) or
 # Renegotiation Info (RI) extension in ALL handshakes.  Default: off
-NSSRequireSafeNegotiation on
+NSSRequireSafeNegotiation off
 
 ##
 ## SSL Virtual Host Context
 ##
 
-<VirtualHost _default_:443>
+<VirtualHost _default_:8443>
 
 #   General setup for the virtual host
 #DocumentRoot "/etc/httpd/htdocs"
-#ServerName www.example.com:443
+#ServerName www.example.com:8443
 #ServerAdmin y...@example.com
 
 # mod_nss can log to separate log files, you can choose to do that if you'd 
like
@@ -113,7 +113,16 @@
 # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
 #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-
rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,
+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-
rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-
ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,
+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,
+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,
+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,
+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-
echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
 
-NSSProtocol SSLv3,TLSv1
+#   SSL Protocol:
+#   Cryptographic protocols that provide communication security.
+#   NSS handles the specified protocols as "ranges", and automatically
+#   negotiates the use of the strongest protocol for a connection starting
+#   with the maximum specified protocol and downgrading as necessary to the
+#   minimum specified protocol that can be used between two processes.
+#   Since all protocol ranges are completely inclusive, and no protocol in 
the
+#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
 
 #   SSL Certificate Nickname:
 #   The nickname of the RSA server certificate you are going to use.
@@ -214,6 +223,5 @@
 #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
 #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
-Include conf.d/ipa-rewrite.conf
 </VirtualHost>
-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to