My two cents:

My "magic" string for NSS is like this (I had to move to Fedora 23
from CentOS in order to get more recent NSS version though):

NSSProtocol TLSv1.2
NSSCipherSuite 
-All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256

My cert is ECDSA private CA though. If you are interested, I can give
you my chef recipe snippets to configure it.

On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev
<marat.vyshegorodt...@gmail.com> wrote:
> My two cents:
>
> My "magic" string for NSS is like this (I had to move to Fedora 23
> from CentOS in order to get more recent NSS version though):
>
> NSSProtocol TLSv1.2
> NSSCipherSuite 
> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>
> My cert is ECDSA private CA though. If you are interested, I can give
> you my chef recipe snippets to configure it.
>
> Marat
>
> On Fri, Jan 22, 2016 at 1:54 AM, Terry John
> <terry.j...@completeautomotivesolutions.co.uk> wrote:
>>>> I've been trying to tidy the security on my FreeIPA and this is
>>>> causing me some problems. I'm using OpenVAS vulnerability scanner and
>>>> it is coming up with this issue
>>>>
>>>> EXPORT_RSA cipher suites supported by the remote server:
>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>>
>>>> It seems we have to disable export  TLS ciphers but I can't see how. I've 
>>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>
>>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>>
>>>> I've restarted httpd and ipa but it still fails
>>>>
>>>> Is there something I have overlooked
>>
>>
>>>Hi Terry,
>>>
>>>Please check
>>>https://fedorahosted.org/freeipa/ticket/5589
>>>
>>>We are trying to come up with a better cipher suite right now. The fix 
>>>should be in some of the next FreeIPA 4.3.x versions.
>>>
>>>The ticket has more details in it.
>>
>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in 
>> that ticket but none so far has eliminated the FREAK report.
>> Christian thanks for the heads up on the syntax, I wasn't sure of what I was 
>> doing
>>
>> Each time I've made a change I've run an sslscan from the OpenVAS scanner 
>> and I do get a different result each time but the errors still remains in 
>> OpenVAS.
>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>>
>> Back to the drawing board :-)
>>
>>
>>
>>
>> The Manheim group of companies within the UK comprises: Manheim Europe 
>> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
>> number: 00448761), Manheim Retail Services Limited (registered number: 
>> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
>> Communications Limited (registered number: 04277845) and Complete Automotive 
>> Solutions Limited (registered number: 05302535). Each of these companies is 
>> registered in England and Wales with the registered office address of 
>> Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of 
>> companies operates under various brand/trading names including Manheim 
>> Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and 
>> Manheim Aftersales Solutions.
>>
>> V:0CF72C13B2AC
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to