On Fri, 06 Nov 2015, Marat Vyshegorodtsev wrote:
Actually, looking at the source code of 389DS it is impossible.

I gave up.

(see screenshot)

Only RSA and some mysterious Fortezza are allowed. NSS'
SSL_ConfigSecureServer actually does support kt_dh, not sure if it applies
to ECDH as well.

I think working around 389DS' SSL code would be harder than just wrapping
port 389 into stunnel, but FreeIPA installer doesn't allow the port 636 to
be used by anyone else.

Seriously, can we just drop Apache+mod_nss and LDAP+libnss? Instead, have
the web GUI wrapped into nginx and LDAP into stunnel?

One may argue that there won't be single sign-on, because Kerberos, but is
anyone seriously using IE anymore?
How IE is relevant here? Are you stuck on Windows without real browsers?

On port 389 we are using SASL GSSAPI which gives you both encryption and

Anyway, I think you are just steaming your frustration here. If you want
constructive discussion, maybe let's start with filing a number of
tickets to 389-ds and FreeIPA to support ECC certificates?

Automating detection and enabling correct cipher types is certainly
worth it.

As you might have seen from a parallel thread, NSS does a terrible job with
sslabs by default. It is almost 2016, TLSv1.3 will be released soon, but it
barely had support of TLSv1.2.
As for now, I suggest writing it in docs and add a check to ipa CLI tools
not to allow ECC certs.
I'm getting A- from ssllabs checks for my server with RSA certificate
and mod_nss, what I'm doing wrong?

A- is mostly for lack of PFS and some certificate chain excess that I'm
planning to fix soon.

HTTP server signature:
Apache/2.4.16 (Fedora) mod_auth_gssapi/1.3.1 mod_nss/2.4.16 NSS/3.19.3 Basic 
ECC PHP/5.6.14 mod_wsgi/4.4.8 Python/2.7.10

It is Fedora 22 with FreeIPA 4.2.2.


2015年11月6日(金) 17:50 Martin Kosek <mko...@redhat.com>:

On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote:
> Hi!
> I've been fighting for the past week with FreeIPA and trying to make
> it work with my own CA certificate that is ECDSA_SHA256.
> Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work
> (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut.
> The command I used is:
> ipa-server-install --mkhomedir --hostname 'ipa.mydomain.com' --realm
> MYDOMAIN.COM --domain mydomain.com --ds-password 'DS_PASSWORD_HERE'
> --admin-password 'ADMIN_PASSWORD_HERE' --no-ntp --unattended
> --no-host-dns --dirsrv-cert-file /etc/ipa/ipa.p12 --http-cert-file
> /etc/ipa/ipa.p12 --dirsrv-pin 'PIN_FOR_CERT' --http-pin 'PIN_FOR_CERT'
> --ca-cert-file /etc/ipa/myownca.pem
> In this case, installation fails at the following step:
> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
> 'ipa.rpay.us' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
> '/var/lib/ipa/tmp5KkCae' '-T' '/var/lib/ipa/tmpTC27Ap'
> 'uid=admin,cn=users,cn=accounts,dc=rpay,dc=us'' returned non-zero exit
> status 1
> In /var/log/ipaserver-install.log I see a message:
> DEBUG stderr=ldap_start_tls: Protocol error (2)
>         additional info: SSL not supported by this server.
> Basically, LDAP is broken now (it doesn't allow connecting without -ZZ
> flag, and fails with it, since TLS is misconfigured at this point).
> What actually happens, LDAP gets configured to use RSA as a key
> exchange algorithm, and fails, since the cert is an ECC cert.
> In /var/log/dirsrv/slapd-MYDOMAIN-COM/errors you can see:
> [05/Nov/2015:12:22:36 +0000] - SSL alert: ConfigSecureServer: Server
> key/certificate is bad for cert FreeIPA of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -12200
> - The certificate provided cannot be used with the selected key
> exchange algorithm.)
> This is configured by ipaserver/install/dsinstance.py under def
>        entry = conn.make_entry(
>             DN(('cn', 'RSA'), ('cn', 'encryption'), ('cn', 'config')),
>             objectclass=["top", "nsEncryptionModule"],
>             cn=["RSA"],
>             nsSSLPersonalitySSL=[self.nickname],
>             nsSSLToken=["internal (software)"],
>             nsSSLActivation=["on"],
>         )
>         conn.add_entry(entry)
> My question is, is it possible to replace RSA with ECDSA here? If so,
> what parameters should I pass to LDAP?

Honza or Ludwig, do you know? This is certainly an uncharted territory,
you are
the first person I know about trying to install FreeIPA CA-less with ECC

There is a ticket to get ECC support in PKI (i.e. not CA-less), but it was
completed yet:

> If this is fixable, can someone add autodetect of the type of the
> certificate and enable appropriate algorithms in LDAP and Apache?
> Best regards,
> Marat Vyshegorodtsev

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to