I was shutting down IPA before making any changes -
1. Shutdown IPA -
[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
2. Edit 'dse.ldif' files to remove null ciphers -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
3. Start IPA -
[root]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [ OK ]
Starting CA Service
Starting pki-ca: [ OK ]
4. Run Scan.
Null Ciphers detected again by Nessus -
Here is the list of null SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None
Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Port
389 / tcp / ldap
636 / tcp / ldap
Ajeet Murty
Deloitte & Touche LLP
Tel: +1 571 882 5614 | Mobile: +1 704 421 8756
[email protected] | www.deloitte.com
-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Tuesday, October 07, 2014 10:19 AM
To: Murty, Ajeet (US - Arlington); Alexander Bokovoy
Cc: [email protected]
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Murty, Ajeet (US - Arlington) wrote:
> Sorry, messed up copy paste, here is the edited section -
>
> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> numSubordinates: 1
>
> I double checked this time. No Null ciphers in dse.ldif files.
> Still seeing the Null Cipher in scans.
>
Are you shutting down the server(s) before modifying dse.ldif or are you
doing the changes online using ldapmodify?
389-ds writes dse.ldif during shutdown so if you make changes while the
server is up and then restart it those changes will be lost.
rob
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:[email protected]]
> Sent: Tuesday, October 07, 2014 6:13 AM
> To: Murty, Ajeet (US - Arlington)
> Cc: Martin Kosek; Nathan Kinder; [email protected]
> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>> I edited both ldif files to remove fortezza_null. Looks like this now -
>>
>> nsSSL3Ciphers:
>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
> Here I can still see +fortezza_null.
>
>> a_export1024_with_des_cbc_sha
>>
>> Ran the scan again, still seeing Null Cipher -
>>
>> TLSv1
>> NULL-SHA Kx=RSA Au=RSA Enc=None
>> Mac=SHA1
>>
>>
>>
>>
>>
>>
>>
>> This message (including any attachments) contains confidential information
>> intended for a specific individual and purpose, and is protected by law. If
>> you are not the intended recipient, you should delete this message and any
>> disclosure, copying, or distribution of this message, or the taking of any
>> action based on it, by you is strictly prohibited.
>>
>> v.E.1
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:[email protected]]
>> Sent: Tuesday, October 07, 2014 5:46 AM
>> To: Murty, Ajeet (US - Arlington)
>> Cc: Martin Kosek; Nathan Kinder; [email protected]
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>> Hi Martin and Nathan,
>>>
>>> Thank you for providing that info.
>>> Unfortunately, my IPA server is running on CentOS, and the latest IPA
>>> version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
>>> The latest version of 389-DS through YUM is - '389-ds-base.i686
>>> 1.2.11.15-34.el6_5 '.
>>>
>>> Nessus scan had detected this null cipher -
>>> TLSv1
>>> NULL-SHA Kx=RSA Au=RSA Enc=None
>>> Mac=SHA1
>>>
>>> I found 2 'dse.ldif' files on disk -
>>> /etc/dirsrv/slapd-PKI-IPA/dse.ldif
>>> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
>>>
>>> In each of them, I found this -
>>> nsSSL3Ciphers:
>>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>>
>>> So to disable null cipher, I removed 'rsa_null_md5' from that list -
>>> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>> I restarted the entire IPA stack, and ran the scan again, I am still seeing
>>> that Null Cipher.
>>>
>>> Any ideas on how to resolve this?
>> I can see also fortezza_null in the above list, maybe you are getting
>> into that one?
>>
>>>
>>> -----Original Message-----
>>> From: Martin Kosek [mailto:[email protected]]
>>> Sent: Tuesday, September 23, 2014 11:15 AM
>>> To: Nathan Kinder; [email protected]; Murty, Ajeet (US - Arlington)
>>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>>
>>> On 09/22/2014 10:07 PM, Nathan Kinder wrote:
>>>>
>>>>
>>>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
>>>>> Security scan of FreeIPA server ports uncovered weak, medium and null
>>>>> ciphers on port 389 and 636. We are running
>>>>> 'ipa-server-3.0.0-37.el6.i686'.
>>>>>
>>>>> How can I disable/remove these ciphers in my existing setup?
>>>>
>>>> This has recently been worked on in this 389-ds-base ticket:
>>>>
>>>> https://fedorahosted.org/389/ticket/47838
>>>>
>>>> As mentioned in the initial description of that ticket, you can
>>>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
>>>> You can edit this over LDAP, or by stopping 389-ds-base and editing
>>>> /etc/dirsrv/slapd-<REALM>/dse.ldif.
>>>>
>>>> Thanks,
>>>> -NGK
>>>
>>> You can also check the FreeIPA counterpart:
>>>
>>> https://fedorahosted.org/freeipa/ticket/4395
>>>
>>> This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora
>>> 21+),
>>> we would very much welcome if you can verify that this setup works for you!
>>>
>>> Thanks,
>>> Martin
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>
>> --
>> / Alexander Bokovoy
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
