I'm really confused now. After the problem where my feeipa server would not 
start and I had to use the backup I'm trying to do things in small steps.

Listening to everything that has been said (thanks) I edited 
slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines

nsSSL3Ciphers:  <My-Original-Ciphers>
to
nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
(There is a space after the colon)

Then I did a 'service ip restart' and when I looked the dse.ldif files had 
reverted back to their original settings..

Where am I going wrong?

Terry


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: 28 January 2016 04:49
To: Marat Vyshegorodtsev; Terry John; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FREAK Vulnerability

Marat Vyshegorodtsev wrote:
> My two cents:
> 
> My "magic" string for NSS is like this (I had to move to Fedora 23 
> from CentOS in order to get more recent NSS version though):
> 
> NSSProtocol TLSv1.2
> NSSCipherSuite 
> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes
> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa
> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_25
> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa
> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256

The -All is a syntax error (ignored). All ciphers are disabled by default 
anyway.

I'd suggest using the ticket already referenced as a starting point.

/usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is 
enabled by default in NSS (though again, everything is disabled by mod_nss at 
startup).

rob

> 
> My cert is ECDSA private CA though. If you are interested, I can give 
> you my chef recipe snippets to configure it.
> 
> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev 
> <marat.vyshegorodt...@gmail.com> wrote:
>> My two cents:
>>
>> My "magic" string for NSS is like this (I had to move to Fedora 23 
>> from CentOS in order to get more recent NSS version though):
>>
>> NSSProtocol TLSv1.2
>> NSSCipherSuite 
>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecd
>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha
>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_e
>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>>
>> My cert is ECDSA private CA though. If you are interested, I can give 
>> you my chef recipe snippets to configure it.
>>
>> Marat
>>
>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John 
>> <terry.j...@completeautomotivesolutions.co.uk> wrote:
>>>>> I've been trying to tidy the security on my FreeIPA and this is 
>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner 
>>>>> and it is coming up with this issue
>>>>>
>>>>> EXPORT_RSA cipher suites supported by the remote server:
>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>>>
>>>>> It seems we have to disable export  TLS ciphers but I can't see how. I've 
>>>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>>
>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>>>
>>>>> I've restarted httpd and ipa but it still fails
>>>>>
>>>>> Is there something I have overlooked
>>>
>>>
>>>> Hi Terry,
>>>>
>>>> Please check
>>>> https://fedorahosted.org/freeipa/ticket/5589
>>>>
>>>> We are trying to come up with a better cipher suite right now. The fix 
>>>> should be in some of the next FreeIPA 4.3.x versions.
>>>>
>>>> The ticket has more details in it.
>>>
>>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in 
>>> that ticket but none so far has eliminated the FREAK report.
>>> Christian thanks for the heads up on the syntax, I wasn't sure of 
>>> what I was doing
>>>
>>> Each time I've made a change I've run an sslscan from the OpenVAS scanner 
>>> and I do get a different result each time but the errors still remains in 
>>> OpenVAS.
>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>>>
>>> Back to the drawing board :-)
>>>
>>>
>>>
>>>
>>> The Manheim group of companies within the UK comprises: Manheim Europe 
>>> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
>>> number: 00448761), Manheim Retail Services Limited (registered number: 
>>> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time 
>>> Communications Limited (registered number: 04277845) and Complete 
>>> Automotive Solutions Limited (registered number: 05302535). Each of these 
>>> companies is registered in England and Wales with the registered office 
>>> address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim 
>>> group of companies operates under various brand/trading names including 
>>> Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim 
>>> De-fleet and Manheim Aftersales Solutions.
>>>
>>> V:0CF72C13B2AC
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to