Christian Heimes wrote: > On 2016-01-21 15:51, Martin Kosek wrote: >> On 01/21/2016 03:31 PM, Terry John wrote: >>> I've been trying to tidy the security on my FreeIPA and this is causing me >>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up >>> with this issue >>> >>> EXPORT_RSA cipher suites supported by the remote server: >>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>> >>> It seems we have to disable export TLS ciphers but I can't see how. I've >>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >>> >>> I've got >>> >>> NSSCipherSuite -all,-exp,+<the ones I want> >>> >>> I've restarted httpd and ipa but it still fails >>> >>> Is there something I have overlooked >>> >>> Thanks, Terry > > Hi Terry, > > the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a > different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite. > The native mod_nss syntax doesn't support qualifiers such as 'all' or > 'exp'. You have to put in the NSS names of cipher suites. If you use the > native syntax, then mod_nss disables all ciphers suites that are not listed. > > mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':' > instead of ',' as separator. But I advice against the alternative syntax > because it is not as well tested as the native syntax. For example '!' > prefix used to be broken (CVE-2015-5244) and '+' prefix causes another > issue (https://fedorahosted.org/mod_nss/ticket/20).
By that argument one would never use any software because of previous bugs. It should work fine now, but it there are some differences, but note that the F-22 fix hasn't been pushed to stable yet (https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aa4dd4f3a). + doesn't add ciphers, it only re-orders them so is a no-op since NSS doesn't allow cipher re-ordering. Given you just disabled all ciphers with -ALL, -EXP is a no-op. If you want to ban anything from adding in export ciphers later use !EXP instead. The string is also case-sensitive and needs to be all upper-case. But yeah, I'd check out the referenced ticket and use those as your default. rob > >> Hi Terry, >> >> Please check >> https://fedorahosted.org/freeipa/ticket/5589 >> >> We are trying to come up with a better cipher suite right now. The fix should >> be in some of the next FreeIPA 4.3.x versions. >> >> The ticket has more details in it. > > The NSSCipherSuite from > https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed > by a couple of people and has been tested with ssllabs.com. The script > nssciphersuite.py in the ticket explains why certain algorithms and > cipher suites have been removed. > > Christian > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project