On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
I was shutting down IPA before making any changes -

1. Shutdown IPA -

[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
   EXAMPLE-COM...                                         [  OK  ]
   PKI-IPA...                                             [  OK  ]

2. Edit 'dse.ldif' files to remove null ciphers -

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
numSubordinates: 1
I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to