On 10/07/2014 04:16 AM, Murty, Ajeet (US - Arlington) wrote:
Sorry, messed up copy paste, here is the edited section -

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
  rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
  _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

I double checked this time. No Null ciphers in dse.ldif files.
Still seeing the Null Cipher in scans.

NOTE: You cannot edit dse.ldif while dirsrv is running. You must ensure dirsrv is not running before you edit dse.ldif.




-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 07, 2014 6:13 AM
To: Murty, Ajeet (US - Arlington)
Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
I edited both ldif files to remove fortezza_null. Looks like this now -

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
Here I can still see +fortezza_null.

a_export1024_with_des_cbc_sha

Ran the scan again, still seeing Null Cipher -

TLSv1
      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None          
       Mac=SHA1







This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

v.E.1


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 07, 2014 5:46 AM
To: Murty, Ajeet (US - Arlington)
Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
Hi Martin and Nathan,

Thank you for providing that info.
Unfortunately, my IPA server is running on CentOS, and the latest IPA version 
available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
The latest version of 389-DS through YUM is - '389-ds-base.i686 
1.2.11.15-34.el6_5 '.

Nessus scan had detected this null cipher -
    TLSv1
      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None          
       Mac=SHA1

I found 2 'dse.ldif' files on disk -
        /etc/dirsrv/slapd-PKI-IPA/dse.ldif
        /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif

In each of them, I found this -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha


So to disable null cipher, I removed 'rsa_null_md5' from that list -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha

I restarted the entire IPA stack, and ran the scan again, I am still seeing 
that Null Cipher.

Any ideas on how to resolve this?
I can see also fortezza_null in the above list, maybe you are getting
into that one?

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, September 23, 2014 11:15 AM
To: Nathan Kinder; freeipa-users@redhat.com; Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On 09/22/2014 10:07 PM, Nathan Kinder wrote:

On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
Security scan of FreeIPA server ports uncovered weak, medium and null
ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.

How can I disable/remove these ciphers in my existing setup?
This has recently been worked on in this 389-ds-base ticket:

   https://fedorahosted.org/389/ticket/47838

As mentioned in the initial description of that ticket, you can
configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
You can edit this over LDAP, or by stopping 389-ds-base and editing
/etc/dirsrv/slapd-<REALM>/dse.ldif.

Thanks,
-NGK
You can also check the FreeIPA counterpart:

https://fedorahosted.org/freeipa/ticket/4395

This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
we would very much welcome if you can verify that this setup works for you!

Thanks,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to