Christian Heimes wrote:
> On 2016-01-21 15:51, Martin Kosek wrote:
>> On 01/21/2016 03:31 PM, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is causing me 
>>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up 
>>> with this issue
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>> It seems we have to disable export  TLS ciphers but I can't see how. I've 
>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>> I've got
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>> I've restarted httpd and ipa but it still fails
>>> Is there something I have overlooked
>>> Thanks, Terry
> Hi Terry,
> the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
> different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
> The native mod_nss syntax doesn't support qualifiers such as 'all' or
> 'exp'. You have to put in the NSS names of cipher suites. If you use the
> native syntax, then mod_nss disables all ciphers suites that are not listed.
> mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
> instead of ',' as separator. But I advice against the alternative syntax
> because it is not as well tested as the native syntax. For example '!'
> prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
> issue (

By that argument one would never use any software because of previous
bugs. It should work fine now, but it there are some differences, but
note that the F-22 fix hasn't been pushed to stable yet

+ doesn't add ciphers, it only re-orders them so is a no-op since NSS
doesn't allow cipher re-ordering.

Given you just disabled all ciphers with -ALL, -EXP is a no-op. If you
want to ban anything from adding in export ciphers later use !EXP instead.

The string is also case-sensitive and needs to be all upper-case.

But yeah, I'd check out the referenced ticket and use those as your default.


>> Hi Terry,
>> Please check
>> We are trying to come up with a better cipher suite right now. The fix should
>> be in some of the next FreeIPA 4.3.x versions.
>> The ticket has more details in it.
> The NSSCipherSuite from
> has been reviewed
> by a couple of people and has been tested with The script
>​ in the ticket explains why certain algorithms and
> cipher suites have been removed.
> Christian

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to