On 2016-01-21 15:51, Martin Kosek wrote: > On 01/21/2016 03:31 PM, Terry John wrote: >> I've been trying to tidy the security on my FreeIPA and this is causing me >> some problems. I'm using OpenVAS vulnerability scanner and it is coming up >> with this issue >> >> EXPORT_RSA cipher suites supported by the remote server: >> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >> >> It seems we have to disable export TLS ciphers but I can't see how. I've >> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >> >> I've got >> >> NSSCipherSuite -all,-exp,+<the ones I want> >> >> I've restarted httpd and ipa but it still fails >> >> Is there something I have overlooked >> >> Thanks, Terry
Hi Terry, the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite. The native mod_nss syntax doesn't support qualifiers such as 'all' or 'exp'. You have to put in the NSS names of cipher suites. If you use the native syntax, then mod_nss disables all ciphers suites that are not listed. mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':' instead of ',' as separator. But I advice against the alternative syntax because it is not as well tested as the native syntax. For example '!' prefix used to be broken (CVE-2015-5244) and '+' prefix causes another issue (https://fedorahosted.org/mod_nss/ticket/20). > Hi Terry, > > Please check > https://fedorahosted.org/freeipa/ticket/5589 > > We are trying to come up with a better cipher suite right now. The fix should > be in some of the next FreeIPA 4.3.x versions. > > The ticket has more details in it. The NSSCipherSuite from https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed by a couple of people and has been tested with ssllabs.com. The script nssciphersuite.py in the ticket explains why certain algorithms and cipher suites have been removed. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
