Sorry, messed up copy paste, here is the edited section - 

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
 rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
 _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

I double checked this time. No Null ciphers in dse.ldif files.
Still seeing the Null Cipher in scans.



-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Tuesday, October 07, 2014 6:13 AM
To: Murty, Ajeet (US - Arlington)
Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>I edited both ldif files to remove fortezza_null. Looks like this now -
>
>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
Here I can still see +fortezza_null.

> a_export1024_with_des_cbc_sha
>
>Ran the scan again, still seeing Null Cipher -
>
>TLSv1
>      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None         
>         Mac=SHA1
>
>
>
>
>
>
>
>This message (including any attachments) contains confidential information 
>intended for a specific individual and purpose, and is protected by law. If 
>you are not the intended recipient, you should delete this message and any 
>disclosure, copying, or distribution of this message, or the taking of any 
>action based on it, by you is strictly prohibited.
>
>v.E.1
>
>
>-----Original Message-----
>From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>Sent: Tuesday, October 07, 2014 5:46 AM
>To: Murty, Ajeet (US - Arlington)
>Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
>On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>Hi Martin and Nathan,
>>
>>Thank you for providing that info.
>>Unfortunately, my IPA server is running on CentOS, and the latest IPA version 
>>available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
>>The latest version of 389-DS through YUM is - '389-ds-base.i686 
>>1.2.11.15-34.el6_5 '.
>>
>>Nessus scan had detected this null cipher -
>>    TLSv1
>>      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None        
>>          Mac=SHA1
>>
>>I found 2 'dse.ldif' files on disk -
>>        /etc/dirsrv/slapd-PKI-IPA/dse.ldif
>>        /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
>>
>>In each of them, I found this -
>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>> a_export1024_with_des_cbc_sha
>>
>>
>>So to disable null cipher, I removed 'rsa_null_md5' from that list -
>>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>> a_export1024_with_des_cbc_sha
>>
>>I restarted the entire IPA stack, and ran the scan again, I am still seeing 
>>that Null Cipher.
>>
>>Any ideas on how to resolve this?
>I can see also fortezza_null in the above list, maybe you are getting
>into that one?
>
>>
>>-----Original Message-----
>>From: Martin Kosek [mailto:mko...@redhat.com]
>>Sent: Tuesday, September 23, 2014 11:15 AM
>>To: Nathan Kinder; freeipa-users@redhat.com; Murty, Ajeet (US - Arlington)
>>Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>>On 09/22/2014 10:07 PM, Nathan Kinder wrote:
>>>
>>>
>>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
>>>> Security scan of FreeIPA server ports uncovered weak, medium and null
>>>> ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.
>>>>
>>>> How can I disable/remove these ciphers in my existing setup?
>>>
>>> This has recently been worked on in this 389-ds-base ticket:
>>>
>>>   https://fedorahosted.org/389/ticket/47838
>>>
>>> As mentioned in the initial description of that ticket, you can
>>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
>>> You can edit this over LDAP, or by stopping 389-ds-base and editing
>>> /etc/dirsrv/slapd-<REALM>/dse.ldif.
>>>
>>> Thanks,
>>> -NGK
>>
>>You can also check the FreeIPA counterpart:
>>
>>https://fedorahosted.org/freeipa/ticket/4395
>>
>>This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
>>we would very much welcome if you can verify that this setup works for you!
>>
>>Thanks,
>>Martin
>>
>>--
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go To http://freeipa.org for more info on the project
>
>--
>/ Alexander Bokovoy

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to