On 01/21/2016 05:54 PM, Terry John wrote:
I've been trying to tidy the security on my FreeIPA and this is
causing me some problems. I'm using OpenVAS vulnerability scanner and
it is coming up with this issue
EXPORT_RSA cipher suites supported by the remote server:
TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
It seems we have to disable export TLS ciphers but I can't see how. I've
edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
NSSCipherSuite -all,-exp,+<the ones I want>
I've restarted httpd and ipa but it still fails
Is there something I have overlooked
We are trying to come up with a better cipher suite right now. The fix should
be in some of the next FreeIPA 4.3.x versions.
The ticket has more details in it.
Thanks for the info. I have tried nearly all the NSSCipherSuite settings in
that ticket but none so far has eliminated the FREAK report.
Christian thanks for the heads up on the syntax, I wasn't sure of what I was
Each time I've made a change I've run an sslscan from the OpenVAS scanner and I
do get a different result each time but the errors still remains in OpenVAS.
Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
Just for the record, 389 Directory Server cipher suites for 636 were much
i..e FreeIPA 4.0.3+ (and RHEL/CentOS 7.1 too).
So that port should not use any really unsecure ciphers any more.
Back to the drawing board :-)
The Manheim group of companies within the UK comprises: Manheim Europe Limited
(registered number: 03183918), Manheim Auctions Limited (registered number:
00448761), Manheim Retail Services Limited (registered number: 02838588),
Motors.co.uk Limited (registered number: 05975777), Real Time Communications
Limited (registered number: 04277845) and Complete Automotive Solutions Limited
(registered number: 05302535). Each of these companies is registered in England
and Wales with the registered office address of Central House, Leeds Road,
Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various
brand/trading names including Manheim Inspection Services, Manheim Auctions,
Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project