On 2016-01-21 17:54, Terry John wrote: > Thanks for the info. I have tried nearly all the NSSCipherSuite settings in > that ticket but none so far has eliminated the FREAK report. > Christian thanks for the heads up on the syntax, I wasn't sure of what I was > doing > > Each time I've made a change I've run an sslscan from the OpenVAS scanner and > I do get a different result each time but the errors still remains in OpenVAS. > Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. > > Back to the drawing board :-)
Hi Terry, you can give the attached file a try. It's a ldif file for ipa-ldap-updater. You need to run the command on the machine as root and restart 389-DS. The hardened TLS configuration is highly experimental and comes with no warranty whatsoever. The configuration works on my tests systems with Python's ldap client and Apache Directory Studio. It may not work with other clients, especially older clients or clients in FIPS mode. Christian
# Harden TLS/SSL configuration of 389-DS # # Christian Heimes <[email protected]> # # $ sudo ipa-ldap-updater slapd_ssl.uldif # $ sudo ipactl restart dn: cn=encryption,cn=config only: allowWeakCipher: off only: nsSSL2: off only: nsSSL3: off only: nsTLS1: on only: sslVersionMin: TLS1.0 only: sslVersionMax: TLS1.2 only: nsSSL3Ciphers: +TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
