On 10/07/2014 10:15 PM, Murty, Ajeet (US - Arlington) wrote:
Any ideas on what else I can try here?


Please file a ticket.

Also, can we expect the new IPA and DS to be available in the CentOS/YUM 
repository in the next few weeks/months?

Thanks again for all your help.


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - 
Arlington)
Sent: Tuesday, October 07, 2014 1:21 PM
To: Alexander Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

I removed the new lines, looks like this now -

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
  rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
  a_export1024_with_des_cbc_sha
numSubordinates: 1

I am still seeing the null ciphers in my scan results.



-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 07, 2014 1:08 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
I shutdown IPA and modified both dse ldif files to look like this -

        nsSSL3Ciphers: 
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
         
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
         
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
         a_export1024_with_des_cbc_sha


Then, when I try to start up IPA, I get this error message -

        [root]# /etc/init.d/ipa start
        Starting Directory Service
        Starting dirsrv:
                EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - 
str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the 
configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be 
parsed
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
The lines above suggest that you actually separated nsSSL3Ciphers line
from the entry itself. At least in my case it looks like this:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20141001151245Z
modifyTimestamp: 20141001151430Z
nsSSL3Ciphers: +all
allowWeakCipher: off
numSubordinates: 1

note that it is part of cn=encryption,cn=config entry. You cannot
separate attributes within the entry with empty lines because empty line
finishes current entry and starts another one.

        [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the 
configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be 
parsed
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 
116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
[nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
         
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
         
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
         a_export1024_with ...]
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 
121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
[numSubordinates: 1]
        [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
        [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the 
reported problems and then restart the server.
                                                                                
                                           [FAILED]
                PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: 
entry has no dn
        [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the 
configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the 
configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 
110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
[nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
         
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
         
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
         a_export1024_with ...]
        [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 
115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
        [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section 
[numSubordinates: 1]
        [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
        [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the 
reported problems and then restart the server.
                                                                                
                                           [FAILED]







This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

v.E.1


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, October 07, 2014 12:43 PM
To: Murty, Ajeet (US - Arlington)
Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
I was shutting down IPA before making any changes -

1. Shutdown IPA -

[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]

2. Edit 'dse.ldif' files to remove null ciphers -

nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to