I shutdown IPA and modified both dse ldif files to look like this -
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
Then, when I try to start up IPA, I get this error message -
[root]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] -
str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the
configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be
parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the
configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be
parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno:
116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
[nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno:
121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
[numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the
reported problems and then restart the server.
[FAILED]
PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck:
entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the
configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the
configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno:
110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
[nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with ...]
[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno:
115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
[07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
[numSubordinates: 1]
[07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
[07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the
reported problems and then restart the server.
[FAILED]
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If you
are not the intended recipient, you should delete this message and any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, by you is strictly prohibited.
v.E.1
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 07, 2014 12:43 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>I was shutting down IPA before making any changes -
>
>1. Shutdown IPA -
>
>[root]# /etc/init.d/ipa stop
>Stopping CA Service
>Stopping pki-ca: [ OK ]
>Stopping HTTP Service
>Stopping httpd: [ OK ]
>Stopping MEMCACHE Service
>Stopping ipa_memcached: [ OK ]
>Stopping KPASSWD Service
>Stopping Kerberos 5 Admin Server: [ OK ]
>Stopping KDC Service
>Stopping Kerberos 5 KDC: [ OK ]
>Stopping Directory Service
>Shutting down dirsrv:
> EXAMPLE-COM... [ OK ]
> PKI-IPA... [ OK ]
>
>2. Edit 'dse.ldif' files to remove null ciphers -
>
>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>numSubordinates: 1
I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
