On Fri, 2013-11-22 at 17:24 -0600, Anthony Messina wrote:
> After pulling down a mod_nss upgrade, the nss.conf.rpmnew file has some 
> additional content.  The diff is below.  Should I merge in the new 
> NSSCipherSuite/NSSProtocol changes on an IPA system or leave it as is?

It is probably a good idea to merge them in although IPA is not yet able
to create EC based certs. The protocol is certainly worth it.

Simo.

> [root@ipa1 ~]# diff -u /etc/httpd/conf.d/nss.conf 
> /etc/httpd/conf.d/nss.conf.rpmnew
> --- /etc/httpd/conf.d/nss.conf  2013-10-06 11:58:57.297000000 -0500
> +++ /etc/httpd/conf.d/nss.conf.rpmnew   2013-10-24 16:22:49.000000000 -0500
> @@ -14,9 +14,9 @@
>  # standard HTTP port (see above) and to the HTTPS port
>  #
>  # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
> -#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
> +#       Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
>  #
> -Listen 443
> +Listen 8443
>  
>  ##
>  ##  SSL Global Context
> @@ -35,7 +35,7 @@
>  #   Configure the pass phrase gathering process.
>  #   The filtering dialog program (`builtin' is a internal
>  #   terminal dialog) has to provide the pass phrase on stdout.
> -NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
> +NSSPassPhraseDialog  builtin
>  
> 
>  #   Pass Phrase Helper:
> @@ -73,21 +73,21 @@
>  #
>  # Only renegotiate if the peer's hello bears the TLS renegotiation_info
>  # extension. Default off.
> -NSSRenegotiation on
> +NSSRenegotiation off
>  
>  # Peer must send Signaling Cipher Suite Value (SCSV) or
>  # Renegotiation Info (RI) extension in ALL handshakes.  Default: off
> -NSSRequireSafeNegotiation on
> +NSSRequireSafeNegotiation off
>  
>  ##
>  ## SSL Virtual Host Context
>  ##
>  
> -<VirtualHost _default_:443>
> +<VirtualHost _default_:8443>
>  
>  #   General setup for the virtual host
>  #DocumentRoot "/etc/httpd/htdocs"
> -#ServerName www.example.com:443
> +#ServerName www.example.com:8443
>  #ServerAdmin y...@example.com
>  
>  # mod_nss can log to separate log files, you can choose to do that if you'd 
> like
> @@ -113,7 +113,16 @@
>  # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
>  #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-
> rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,
> +fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-
> rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-
> ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,
> +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,
> +ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,
> +ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,
> +ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-
> echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,
> +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
>  
> -NSSProtocol SSLv3,TLSv1
> +#   SSL Protocol:
> +#   Cryptographic protocols that provide communication security.
> +#   NSS handles the specified protocols as "ranges", and automatically
> +#   negotiates the use of the strongest protocol for a connection starting
> +#   with the maximum specified protocol and downgrading as necessary to the
> +#   minimum specified protocol that can be used between two processes.
> +#   Since all protocol ranges are completely inclusive, and no protocol in 
> the
> +#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
> +#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
> +NSSProtocol SSLv3,TLSv1.0,TLSv1.1
>  
>  #   SSL Certificate Nickname:
>  #   The nickname of the RSA server certificate you are going to use.
> @@ -214,6 +223,5 @@
>  #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
>  #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>  
> -Include conf.d/ipa-rewrite.conf
>  </VirtualHost>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to