On 01/26/2016 05:39 PM, Terry John wrote: > Thanks for this. I've had a look today > We are running: > > ipa-server.x86_64 3.0.0-47.el6.centos > > and some of the directives did not work, namely allowWeakCipher, > sslVersionMin and sslVersionMax . So I commented them out > The ldapupdater then seems happy but when I went to restart IPA. The ldap > server wasn't happy with cipher TLS_RSA_WITH_AES_256_CBC_SHA256 and would not > start.
Usually, when DS is not starting after some change in configuration, you can manually update the dse.ldif in /etc/dirsrv/... and start again. As for RHEL-6 support, old SSL ciphers should be disabled since ipa-3.0.0-46.el6, 389-ds-base-1.2.11.15-51.el6: https://bugzilla.redhat.com/show_bug.cgi?id=1131049 https://bugzilla.redhat.com/show_bug.cgi?id=1153739 The options are normally used in RHEL-7.1+: https://bugzilla.redhat.com/show_bug.cgi?id=1117979 they may have not been backported to RHEL-6 also, I am not sure. > > Now I can't change anything and it doesn't work. Reaching for my backup..... > > Terry > > -----Original Message----- > From: Christian Heimes [mailto:chei...@redhat.com] > Sent: 22 January 2016 10:03 > To: Terry John; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FREAK Vulnerability > > On 2016-01-21 17:54, Terry John wrote: >> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in >> that ticket but none so far has eliminated the FREAK report. >> Christian thanks for the heads up on the syntax, I wasn't sure of what >> I was doing >> >> Each time I've made a change I've run an sslscan from the OpenVAS scanner >> and I do get a different result each time but the errors still remains in >> OpenVAS. >> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. >> >> Back to the drawing board :-) > > Hi Terry, > > you can give the attached file a try. It's a ldif file for ipa-ldap-updater. > You need to run the command on the machine as root and restart 389-DS. > > The hardened TLS configuration is highly experimental and comes with no > warranty whatsoever. The configuration works on my tests systems with > Python's ldap client and Apache Directory Studio. It may not work with other > clients, especially older clients or clients in FIPS mode. > > Christian > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project