Christian Heimes wrote:
> On 2016-01-21 15:51, Martin Kosek wrote:
>> On 01/21/2016 03:31 PM, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is causing me
>>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up
>>> with this issue
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>> It seems we have to disable export TLS ciphers but I can't see how. I've
>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>> I've got
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>> I've restarted httpd and ipa but it still fails
>>> Is there something I have overlooked
>>> Thanks, Terry
> Hi Terry,
> the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
> different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
> The native mod_nss syntax doesn't support qualifiers such as 'all' or
> 'exp'. You have to put in the NSS names of cipher suites. If you use the
> native syntax, then mod_nss disables all ciphers suites that are not listed.
> mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
> instead of ',' as separator. But I advice against the alternative syntax
> because it is not as well tested as the native syntax. For example '!'
> prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
> issue (https://fedorahosted.org/mod_nss/ticket/20).
By that argument one would never use any software because of previous
bugs. It should work fine now, but it there are some differences, but
note that the F-22 fix hasn't been pushed to stable yet
+ doesn't add ciphers, it only re-orders them so is a no-op since NSS
doesn't allow cipher re-ordering.
Given you just disabled all ciphers with -ALL, -EXP is a no-op. If you
want to ban anything from adding in export ciphers later use !EXP instead.
The string is also case-sensitive and needs to be all upper-case.
But yeah, I'd check out the referenced ticket and use those as your default.
>> Hi Terry,
>> Please check
>> We are trying to come up with a better cipher suite right now. The fix should
>> be in some of the next FreeIPA 4.3.x versions.
>> The ticket has more details in it.
> The NSSCipherSuite from
> https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed
> by a couple of people and has been tested with ssllabs.com. The script
> nssciphersuite.py in the ticket explains why certain algorithms and
> cipher suites have been removed.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project