Any ideas on what else I can try here?
Also, can we expect the new IPA and DS to be available in the CentOS/YUM 
repository in the next few weeks/months?

Thanks again for all your help.


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - 
Arlington)
Sent: Tuesday, October 07, 2014 1:21 PM
To: Alexander Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

I removed the new lines, looks like this now - 

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
 rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
 a_export1024_with_des_cbc_sha
numSubordinates: 1

I am still seeing the null ciphers in my scan results.



-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>I shutdown IPA and modified both dse ldif files to look like this -
>
>        nsSSL3Ciphers: 
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>         
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>         
> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>         a_export1024_with_des_cbc_sha
>
>
>Then, when I try to start up IPA, I get this error message -
>
>        [root]# /etc/init.d/ipa start
>        Starting Directory Service
>        Starting dirsrv:
>                EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - 
> str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the 
> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be 
> parsed
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
The lines above suggest that you actually separated nsSSL3Ciphers line
from the entry itself. At least in my case it looks like this:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20141001151245Z
modifyTimestamp: 20141001151430Z
nsSSL3Ciphers: +all
allowWeakCipher: off
numSubordinates: 1

note that it is part of cn=encryption,cn=config entry. You cannot
separate attributes within the entry with empty lines because empty line
finishes current entry and starts another one.

>        [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the 
> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be 
> parsed
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry 
> (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
> [nsSSL3Ciphers: 
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>         
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>         
> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>         a_export1024_with ...]
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry 
> (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
> [numSubordinates: 1]
>        [07/Oct/2014:12:49:59 -0400] dse - Could not load config file 
> [dse.ldif]
>        [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
>                                                                               
>                                             [FAILED]
>                PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: 
> entry has no dn
>        [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the 
> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the 
> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry 
> (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
> [nsSSL3Ciphers: 
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>         
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>         
> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>         a_export1024_with ...]
>        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry 
> (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
> [numSubordinates: 1]
>        [07/Oct/2014:12:49:59 -0400] dse - Could not load config file 
> [dse.ldif]
>        [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
>                                                                               
>                                             [FAILED]
>
>
>
>
>
>
>
>This message (including any attachments) contains confidential information 
>intended for a specific individual and purpose, and is protected by law. If 
>you are not the intended recipient, you should delete this message and any 
>disclosure, copying, or distribution of this message, or the taking of any 
>action based on it, by you is strictly prohibited.
>
>v.E.1
>
>
>-----Original Message-----
>From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>Sent: Tuesday, October 07, 2014 12:43 PM
>To: Murty, Ajeet (US - Arlington)
>Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
>On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>I was shutting down IPA before making any changes -
>>
>>1. Shutdown IPA -
>>
>>[root]# /etc/init.d/ipa stop
>>Stopping CA Service
>>Stopping pki-ca:                                           [  OK  ]
>>Stopping HTTP Service
>>Stopping httpd:                                            [  OK  ]
>>Stopping MEMCACHE Service
>>Stopping ipa_memcached:                                    [  OK  ]
>>Stopping KPASSWD Service
>>Stopping Kerberos 5 Admin Server:                          [  OK  ]
>>Stopping KDC Service
>>Stopping Kerberos 5 KDC:                                   [  OK  ]
>>Stopping Directory Service
>>Shutting down dirsrv:
>>    EXAMPLE-COM...                                         [  OK  ]
>>    PKI-IPA...                                             [  OK  ]
>>
>>2. Edit 'dse.ldif' files to remove null ciphers -
>>
>>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
>> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
>> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>numSubordinates: 1
>I think Ludwig gave a good suggestion -- instead of removing them from
>the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
>The way nsSSL3Ciphers attribute works, is by modifying default NSS
>ciphers list, with + and - to add and remove the ciphers accordingly.
>
>--
>/ Alexander Bokovoy

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to