Sorry, messed up copy paste, here is the edited section - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1
I double checked this time. No Null ciphers in dse.ldif files. Still seeing the Null Cipher in scans. -----Original Message----- From: Alexander Bokovoy [mailto:[email protected]] Sent: Tuesday, October 07, 2014 6:13 AM To: Murty, Ajeet (US - Arlington) Cc: Martin Kosek; Nathan Kinder; [email protected] Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >I edited both ldif files to remove fortezza_null. Looks like this now - > >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs Here I can still see +fortezza_null. > a_export1024_with_des_cbc_sha > >Ran the scan again, still seeing Null Cipher - > >TLSv1 > NULL-SHA Kx=RSA Au=RSA Enc=None > Mac=SHA1 > > > > > > > >This message (including any attachments) contains confidential information >intended for a specific individual and purpose, and is protected by law. If >you are not the intended recipient, you should delete this message and any >disclosure, copying, or distribution of this message, or the taking of any >action based on it, by you is strictly prohibited. > >v.E.1 > > >-----Original Message----- >From: Alexander Bokovoy [mailto:[email protected]] >Sent: Tuesday, October 07, 2014 5:46 AM >To: Murty, Ajeet (US - Arlington) >Cc: Martin Kosek; Nathan Kinder; [email protected] >Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > >On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>Hi Martin and Nathan, >> >>Thank you for providing that info. >>Unfortunately, my IPA server is running on CentOS, and the latest IPA version >>available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. >>The latest version of 389-DS through YUM is - '389-ds-base.i686 >>1.2.11.15-34.el6_5 '. >> >>Nessus scan had detected this null cipher - >> TLSv1 >> NULL-SHA Kx=RSA Au=RSA Enc=None >> Mac=SHA1 >> >>I found 2 'dse.ldif' files on disk - >> /etc/dirsrv/slapd-PKI-IPA/dse.ldif >> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif >> >>In each of them, I found this - >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with_des_cbc_sha >> >> >>So to disable null cipher, I removed 'rsa_null_md5' from that list - >>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with_des_cbc_sha >> >>I restarted the entire IPA stack, and ran the scan again, I am still seeing >>that Null Cipher. >> >>Any ideas on how to resolve this? >I can see also fortezza_null in the above list, maybe you are getting >into that one? > >> >>-----Original Message----- >>From: Martin Kosek [mailto:[email protected]] >>Sent: Tuesday, September 23, 2014 11:15 AM >>To: Nathan Kinder; [email protected]; Murty, Ajeet (US - Arlington) >>Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >> >>On 09/22/2014 10:07 PM, Nathan Kinder wrote: >>> >>> >>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote: >>>> Security scan of FreeIPA server ports uncovered weak, medium and null >>>> ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'. >>>> >>>> How can I disable/remove these ciphers in my existing setup? >>> >>> This has recently been worked on in this 389-ds-base ticket: >>> >>> https://fedorahosted.org/389/ticket/47838 >>> >>> As mentioned in the initial description of that ticket, you can >>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base. >>> You can edit this over LDAP, or by stopping 389-ds-base and editing >>> /etc/dirsrv/slapd-<REALM>/dse.ldif. >>> >>> Thanks, >>> -NGK >> >>You can also check the FreeIPA counterpart: >> >>https://fedorahosted.org/freeipa/ticket/4395 >> >>This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+), >>we would very much welcome if you can verify that this setup works for you! >> >>Thanks, >>Martin >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go To http://freeipa.org for more info on the project > >-- >/ Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
