On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
I was shutting down IPA before making any changes -
1. Shutdown IPA -
[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
2. Edit 'dse.ldif' files to remove null ciphers -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
