On 2016-01-21 15:51, Martin Kosek wrote:
> On 01/21/2016 03:31 PM, Terry John wrote:
>> I've been trying to tidy the security on my FreeIPA and this is causing me 
>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up 
>> with this issue
>> EXPORT_RSA cipher suites supported by the remote server:
>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>> It seems we have to disable export  TLS ciphers but I can't see how. I've 
>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>> I've got
>> NSSCipherSuite -all,-exp,+<the ones I want>
>> I've restarted httpd and ipa but it still fails
>> Is there something I have overlooked
>> Thanks, Terry

Hi Terry,

the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
The native mod_nss syntax doesn't support qualifiers such as 'all' or
'exp'. You have to put in the NSS names of cipher suites. If you use the
native syntax, then mod_nss disables all ciphers suites that are not listed.

mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
instead of ',' as separator. But I advice against the alternative syntax
because it is not as well tested as the native syntax. For example '!'
prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
issue (https://fedorahosted.org/mod_nss/ticket/20).

> Hi Terry,
> Please check
> https://fedorahosted.org/freeipa/ticket/5589
> We are trying to come up with a better cipher suite right now. The fix should
> be in some of the next FreeIPA 4.3.x versions.
> The ticket has more details in it.

The NSSCipherSuite from
https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed
by a couple of people and has been tested with ssllabs.com. The script
nssciphersuite.py​ in the ticket explains why certain algorithms and
cipher suites have been removed.


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to