On 2016-01-21 17:54, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is
>>> causing me some problems. I'm using OpenVAS vulnerability scanner and
>>> it is coming up with this issue
>>>
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>
>>> It seems we have to disable export  TLS ciphers but I can't see how. I've 
>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>
>>> I've restarted httpd and ipa but it still fails
>>>
>>> Is there something I have overlooked
> 
> 
>> Hi Terry,
>>
>> Please check
>> https://fedorahosted.org/freeipa/ticket/5589
>>
>> We are trying to come up with a better cipher suite right now. The fix 
>> should be in some of the next FreeIPA 4.3.x versions.
>>
>> The ticket has more details in it.
> 
> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in 
> that ticket but none so far has eliminated the FREAK report.
> Christian thanks for the heads up on the syntax, I wasn't sure of what I was 
> doing
> 
> Each time I've made a change I've run an sslscan from the OpenVAS scanner and 
> I do get a different result each time but the errors still remains in OpenVAS.
> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
> 
> Back to the drawing board :-)

The TLS/SSL configuration of the LDAP server is handled by a different
configuration file. It's on my radar, but I haven't touched it yet. LDAP
clients and browsers are different beasts. ssllabs.com makes it very
convenient to test a site against all relevant browsers. There is no
such service for LDAP.

By the way does OpenVAS also detect issues on 389/TCP for LDAP with
STARTTLS? 389/TCP talks plain TCP first but can be upgrade to TLS with
STARTTLS.

Christian

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to