On 2016-01-21 17:54, Terry John wrote:
> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in 
> that ticket but none so far has eliminated the FREAK report.
> Christian thanks for the heads up on the syntax, I wasn't sure of what I was 
> doing
> 
> Each time I've made a change I've run an sslscan from the OpenVAS scanner and 
> I do get a different result each time but the errors still remains in OpenVAS.
> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
> 
> Back to the drawing board :-)

Hi Terry,

you can give the attached file a try. It's a ldif file for
ipa-ldap-updater. You need to run the command on the machine as root and
restart 389-DS.

The hardened TLS configuration is highly experimental and comes with no
warranty whatsoever. The configuration works on my tests systems with
Python's ldap client and Apache Directory Studio. It may not work with
other clients, especially older clients or clients in FIPS mode.

Christian

# Harden TLS/SSL configuration of 389-DS
#
# Christian Heimes <chei...@redhat.com>
#
# $ sudo ipa-ldap-updater slapd_ssl.uldif
# $ sudo ipactl restart

dn: cn=encryption,cn=config
only: allowWeakCipher: off
only: nsSSL2: off
only: nsSSL3: off
only: nsTLS1: on
only: sslVersionMin: TLS1.0
only: sslVersionMax: TLS1.2
only: nsSSL3Ciphers: 
+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to