On 01/21/2016 03:31 PM, Terry John wrote: > I've been trying to tidy the security on my FreeIPA and this is causing me > some problems. I'm using OpenVAS vulnerability scanner and it is coming up > with this issue > > EXPORT_RSA cipher suites supported by the remote server: > TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) > TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) > > It seems we have to disable export TLS ciphers but I can't see how. I've > edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. > > I've got > > NSSCipherSuite -all,-exp,+<the ones I want> > > I've restarted httpd and ipa but it still fails > > Is there something I have overlooked > > Thanks, Terry > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC
Hi Terry, Please check https://fedorahosted.org/freeipa/ticket/5589 We are trying to come up with a better cipher suite right now. The fix should be in some of the next FreeIPA 4.3.x versions. The ticket has more details in it. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
