No difference. It is as if this setting is being overwritten somewhere deep
in 389ds, because the "error" log correctly reflects the changes, but the
actual process does not. (and yes, I verified that the process actually
shuts down and start up again when I restart it)

ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3Ciphers: +all
allowWeakCipher: off
nsSSL3: off
nsSSL2: off
... (skipping nssslenabledciphers's) ...
nsTLS1: on
sslVersionMax: TLS1.2

SLAPD error log got longer:

SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:       TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting
up

SSLScan Output:

sslscan --no-failed localhost:636

...
 Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS11  128 bits  DES-CBC3-SHA
    Accepted  TLS11  128 bits  RC4-SHA
    Accepted  TLS11  128 bits  RC4-MD5
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA
    Accepted  TLS12  128 bits  DES-CBC3-SHA
    Accepted  TLS12  128 bits  RC4-SHA
    Accepted  TLS12  128 bits  RC4-MD5


On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <lkris...@redhat.com>
wrote:

>
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
> to post completely non-IPA questions to this list...).
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no
> matter what I do.
>
> I am running "CentOS Linux release 7.1.1503 (Core)"
>
> Relevant Packages:
>
> freeipa-server-4.1.4-1.el7.centos.x86_64
> 389-ds-base-1.3.3.8-1.el7.centos.x86_64
> nss-3.19.1-5.el7_1.x86_64
> openssl-1.0.1e-42.el7.9.x86_64
>
> LDAP setting (confirmed that in error.log there is no menition of RC4 in
> list of ciphers):
>
> nsSSL3Ciphers:
> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
>
> with ipa the config entry should contain:
>
> dn: cn=encryption,cn=config
> allowWeakCipher: off
> nsSSL3Ciphers: +all
>
> could you try this setting
>
> Slapd "error" log showing no ciphersuites supporting RC4:
>
> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version
> range: min: TLS1.0, max: TLS1.2
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not
> available in NSS 3.16.  Ignoring fortezza
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
> fortezza_rc4_128_sha is not available in NSS 3.16.  Ignoring
> fortezza_rc4_128_sha
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is
> not available in NSS 3.16.  Ignoring fortezza_null
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128
> starting up
>
> But sslscan returns:
>
> $ sslscan --no-failed localhost:636
> ...
>
> Supported Server Cipher(s):
>
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  DES-CBC3-SHA
>     Accepted  TLSv1  128 bits  RC4-SHA
>     Accepted  TLSv1  128 bits  RC4-MD5
>     Accepted  TLS11  256 bits  AES256-SHA
>     Accepted  TLS11  128 bits  AES128-SHA
>     Accepted  TLS11  128 bits  DES-CBC3-SHA
>     Accepted  TLS11  128 bits  RC4-SHA
>     Accepted  TLS11  128 bits  RC4-MD5
>     Accepted  TLS12  256 bits  AES256-SHA256
>     Accepted  TLS12  256 bits  AES256-SHA
>     Accepted  TLS12  128 bits  AES128-GCM-SHA256
>     Accepted  TLS12  128 bits  AES128-SHA256
>     Accepted  TLS12  128 bits  AES128-SHA
>     Accepted  TLS12  128 bits  DES-CBC3-SHA
>     Accepted  TLS12  128 bits  RC4-SHA
>     Accepted  TLS12  128 bits  RC4-MD5
>
> ...
>
>
> I would assume the sslscan is broken, but nmap and other scanners all
> confirm that RC4 is still on.
>
> -M
>
> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <mko...@redhat.com> wrote:
>
>> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
>> > OK, this is most bizarre issue,
>> >
>> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636)
>> and
>> > for the life of me cannot get it to work
>> >
>> > I have followed many nearly identical instructions to create ldif file
>> and
>> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple
>> enough -
>> > and I get it to take, and during the startup I can see the right SSL
>> Cipher
>> > Suites listed in errors.log - but when it starts and I probe it, RC4
>> > ciphers are still there. I am completely confused.
>> >
>> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4")
>> > and to old style cyphers lists(lowercase), and new style cypher
>> > lists(uppercase), and nothing seems to make any difference.
>> >
>> > Any ideas?
>> >
>> > -M
>>
>> Are you asking about standalone 389-DS or the one integrated in FreeIPA?
>> As
>> with currently supported versions of FreeIPA, RC4 ciphers should be
>> already
>> gone, AFAIK.
>>
>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687
>> https://fedorahosted.org/freeipa/ticket/4653
>>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to