On 01/21/2016 03:31 PM, Terry John wrote:
> I've been trying to tidy the security on my FreeIPA and this is causing me 
> some problems. I'm using OpenVAS vulnerability scanner and it is coming up 
> with this issue
> 
> EXPORT_RSA cipher suites supported by the remote server:
> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
> 
> It seems we have to disable export  TLS ciphers but I can't see how. I've 
> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
> 
> I've got
> 
> NSSCipherSuite -all,-exp,+<the ones I want>
> 
> I've restarted httpd and ipa but it still fails
> 
> Is there something I have overlooked
> 
> Thanks, Terry
> 
> 
> 
> The Manheim group of companies within the UK comprises: Manheim Europe 
> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> number: 00448761), Manheim Retail Services Limited (registered number: 
> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
> Communications Limited (registered number: 04277845) and Complete Automotive 
> Solutions Limited (registered number: 05302535). Each of these companies is 
> registered in England and Wales with the registered office address of Central 
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies 
> operates under various brand/trading names including Manheim Inspection 
> Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim 
> Aftersales Solutions.
> 
> V:0CF72C13B2AC

Hi Terry,

Please check
https://fedorahosted.org/freeipa/ticket/5589

We are trying to come up with a better cipher suite right now. The fix should
be in some of the next FreeIPA 4.3.x versions.

The ticket has more details in it.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to