On 01/26/2016 05:39 PM, Terry John wrote:
> Thanks for this. I've had a look today
> We are running:
> ipa-server.x86_64                             3.0.0-47.el6.centos
> and some of the directives did not work, namely  allowWeakCipher, 
> sslVersionMin  and sslVersionMax . So I commented them out
> The ldapupdater then seems happy but when I went to restart IPA. The ldap 
> server wasn't happy with cipher TLS_RSA_WITH_AES_256_CBC_SHA256 and would not 
> start.

Usually, when DS is not starting after some change in configuration, you can
manually update the dse.ldif in /etc/dirsrv/... and start again.

As for RHEL-6 support, old SSL ciphers should be disabled since
ipa-3.0.0-46.el6, 389-ds-base-


The options are normally used in RHEL-7.1+:

they may have not been backported to RHEL-6 also, I am not sure.

> Now I can't change anything and it doesn't work. Reaching for my backup.....
> Terry
> -----Original Message-----
> From: Christian Heimes [mailto:chei...@redhat.com]
> Sent: 22 January 2016 10:03
> To: Terry John; Martin Kosek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FREAK Vulnerability
> On 2016-01-21 17:54, Terry John wrote:
>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in 
>> that ticket but none so far has eliminated the FREAK report.
>> Christian thanks for the heads up on the syntax, I wasn't sure of what
>> I was doing
>> Each time I've made a change I've run an sslscan from the OpenVAS scanner 
>> and I do get a different result each time but the errors still remains in 
>> OpenVAS.
>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>> Back to the drawing board :-)
> Hi Terry,
> you can give the attached file a try. It's a ldif file for ipa-ldap-updater. 
> You need to run the command on the machine as root and restart 389-DS.
> The hardened TLS configuration is highly experimental and comes with no 
> warranty whatsoever. The configuration works on my tests systems with 
> Python's ldap client and Apache Directory Studio. It may not work with other 
> clients, especially older clients or clients in FIPS mode.
> Christian
> The Manheim group of companies within the UK comprises: Manheim Europe 
> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> number: 00448761), Manheim Retail Services Limited (registered number: 
> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
> Communications Limited (registered number: 04277845) and Complete Automotive 
> Solutions Limited (registered number: 05302535). Each of these companies is 
> registered in England and Wales with the registered office address of Central 
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies 
> operates under various brand/trading names including Manheim Inspection 
> Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim 
> Aftersales Solutions.
> V:0CF72C13B2AC

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to