Terry John wrote:
> I'm really confused now. After the problem where my feeipa server would not 
> start and I had to use the backup I'm trying to do things in small steps.
> 
> Listening to everything that has been said (thanks) I edited 
> slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
> 
> nsSSL3Ciphers:  <My-Original-Ciphers>
> to
> nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
> (There is a space after the colon)
> 
> Then I did a 'service ip restart' and when I looked the dse.ldif files had 
> reverted back to their original settings..
> 
> Where am I going wrong?

dse.ldif is written out when the server shuts down so any changes you
make to it while 389-ds is running are lost.

rob

> 
> Terry
> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: 28 January 2016 04:49
> To: Marat Vyshegorodtsev; Terry John; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FREAK Vulnerability
> 
> Marat Vyshegorodtsev wrote:
>> My two cents:
>>
>> My "magic" string for NSS is like this (I had to move to Fedora 23 
>> from CentOS in order to get more recent NSS version though):
>>
>> NSSProtocol TLSv1.2
>> NSSCipherSuite 
>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes
>> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa
>> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_25
>> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa
>> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> 
> The -All is a syntax error (ignored). All ciphers are disabled by default 
> anyway.
> 
> I'd suggest using the ticket already referenced as a starting point.
> 
> /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is 
> enabled by default in NSS (though again, everything is disabled by mod_nss at 
> startup).
> 
> rob
> 
>>
>> My cert is ECDSA private CA though. If you are interested, I can give 
>> you my chef recipe snippets to configure it.
>>
>> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev 
>> <marat.vyshegorodt...@gmail.com> wrote:
>>> My two cents:
>>>
>>> My "magic" string for NSS is like this (I had to move to Fedora 23 
>>> from CentOS in order to get more recent NSS version though):
>>>
>>> NSSProtocol TLSv1.2
>>> NSSCipherSuite 
>>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
>>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecd
>>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha
>>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_e
>>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>>>
>>> My cert is ECDSA private CA though. If you are interested, I can give 
>>> you my chef recipe snippets to configure it.
>>>
>>> Marat
>>>
>>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John 
>>> <terry.j...@completeautomotivesolutions.co.uk> wrote:
>>>>>> I've been trying to tidy the security on my FreeIPA and this is 
>>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner 
>>>>>> and it is coming up with this issue
>>>>>>
>>>>>> EXPORT_RSA cipher suites supported by the remote server:
>>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>>>>
>>>>>> It seems we have to disable export  TLS ciphers but I can't see how. 
>>>>>> I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>>>
>>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>>>>
>>>>>> I've restarted httpd and ipa but it still fails
>>>>>>
>>>>>> Is there something I have overlooked
>>>>
>>>>
>>>>> Hi Terry,
>>>>>
>>>>> Please check
>>>>> https://fedorahosted.org/freeipa/ticket/5589
>>>>>
>>>>> We are trying to come up with a better cipher suite right now. The fix 
>>>>> should be in some of the next FreeIPA 4.3.x versions.
>>>>>
>>>>> The ticket has more details in it.
>>>>
>>>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings 
>>>> in that ticket but none so far has eliminated the FREAK report.
>>>> Christian thanks for the heads up on the syntax, I wasn't sure of 
>>>> what I was doing
>>>>
>>>> Each time I've made a change I've run an sslscan from the OpenVAS scanner 
>>>> and I do get a different result each time but the errors still remains in 
>>>> OpenVAS.
>>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>>>>
>>>> Back to the drawing board :-)
>>>>
>>>>
>>>>
>>>>
>>>> The Manheim group of companies within the UK comprises: Manheim Europe 
>>>> Limited (registered number: 03183918), Manheim Auctions Limited 
>>>> (registered number: 00448761), Manheim Retail Services Limited (registered 
>>>> number: 02838588), Motors.co.uk Limited (registered number: 05975777), 
>>>> Real Time Communications Limited (registered number: 04277845) and 
>>>> Complete Automotive Solutions Limited (registered number: 05302535). Each 
>>>> of these companies is registered in England and Wales with the registered 
>>>> office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The 
>>>> Manheim group of companies operates under various brand/trading names 
>>>> including Manheim Inspection Services, Manheim Auctions, Manheim Direct, 
>>>> Manheim De-fleet and Manheim Aftersales Solutions.
>>>>
>>>> V:0CF72C13B2AC
>>>>
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to