Ok thanks for that but I've had to give up, our freeipa server is too critical 
to our business for me to continue even with outages of one or two minutes.

The Ciphers below were not recognised and when I just tried to remove the 
export ciphers from the original list I got this error
(Netscape Portable Runtime error -12266 - An unknown SSL cipher suite has been 
requested.)

A type or a fundamental problem I don't know.

I am working in an AWS environment and have tried making a clone and working on 
that but freeipa just gets confused and stops. I suppose another alternative is 
to build a freeipa server from scratch and work on that. Seems an awful lot of 
work to remove one cipher :-(

terry

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: 28 January 2016 14:35
To: Terry John; Marat Vyshegorodtsev; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FREAK Vulnerability

Terry John wrote:
> I'm really confused now. After the problem where my feeipa server would not 
> start and I had to use the backup I'm trying to do things in small steps.
> 
> Listening to everything that has been said (thanks) I edited 
> slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
> 
> nsSSL3Ciphers:  <My-Original-Ciphers>
> to
> nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_g
> cm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+
> ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes
> _128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_25
> 6_sha
> (There is a space after the colon)
> 
> Then I did a 'service ip restart' and when I looked the dse.ldif files had 
> reverted back to their original settings..
> 
> Where am I going wrong?

dse.ldif is written out when the server shuts down so any changes you make to 
it while 389-ds is running are lost.

rob

> 
> Terry
> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: 28 January 2016 04:49
> To: Marat Vyshegorodtsev; Terry John; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FREAK Vulnerability
> 
> Marat Vyshegorodtsev wrote:
>> My two cents:
>>
>> My "magic" string for NSS is like this (I had to move to Fedora 23 
>> from CentOS in order to get more recent NSS version though):
>>
>> NSSProtocol TLSv1.2
>> NSSCipherSuite
>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
>> s 
>> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecds
>> a
>> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_2
>> 5 
>> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecds
>> a
>> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> 
> The -All is a syntax error (ignored). All ciphers are disabled by default 
> anyway.
> 
> I'd suggest using the ticket already referenced as a starting point.
> 
> /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is 
> enabled by default in NSS (though again, everything is disabled by mod_nss at 
> startup).
> 
> rob
> 
>>
>> My cert is ECDSA private CA though. If you are interested, I can give 
>> you my chef recipe snippets to configure it.
>>
>> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev 
>> <marat.vyshegorodt...@gmail.com> wrote:
>>> My two cents:
>>>
>>> My "magic" string for NSS is like this (I had to move to Fedora 23 
>>> from CentOS in order to get more recent NSS version though):
>>>
>>> NSSProtocol TLSv1.2
>>> NSSCipherSuite
>>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_a
>>> e 
>>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ec
>>> d 
>>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sh
>>> a 
>>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_
>>> e
>>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>>>
>>> My cert is ECDSA private CA though. If you are interested, I can 
>>> give you my chef recipe snippets to configure it.
>>>
>>> Marat
>>>
>>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John 
>>> <terry.j...@completeautomotivesolutions.co.uk> wrote:
>>>>>> I've been trying to tidy the security on my FreeIPA and this is 
>>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner 
>>>>>> and it is coming up with this issue
>>>>>>
>>>>>> EXPORT_RSA cipher suites supported by the remote server:
>>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>>>>
>>>>>> It seems we have to disable export  TLS ciphers but I can't see how. 
>>>>>> I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>>>
>>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>>>>
>>>>>> I've restarted httpd and ipa but it still fails
>>>>>>
>>>>>> Is there something I have overlooked
>>>>
>>>>
>>>>> Hi Terry,
>>>>>
>>>>> Please check
>>>>> https://fedorahosted.org/freeipa/ticket/5589
>>>>>
>>>>> We are trying to come up with a better cipher suite right now. The fix 
>>>>> should be in some of the next FreeIPA 4.3.x versions.
>>>>>
>>>>> The ticket has more details in it.
>>>>
>>>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings 
>>>> in that ticket but none so far has eliminated the FREAK report.
>>>> Christian thanks for the heads up on the syntax, I wasn't sure of 
>>>> what I was doing
>>>>
>>>> Each time I've made a change I've run an sslscan from the OpenVAS scanner 
>>>> and I do get a different result each time but the errors still remains in 
>>>> OpenVAS.
>>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>>>>
>>>> Back to the drawing board :-)
>>>>
>>>>
>>>>
>>>>
>>>> The Manheim group of companies within the UK comprises: Manheim Europe 
>>>> Limited (registered number: 03183918), Manheim Auctions Limited 
>>>> (registered number: 00448761), Manheim Retail Services Limited (registered 
>>>> number: 02838588), Motors.co.uk Limited (registered number: 05975777), 
>>>> Real Time Communications Limited (registered number: 04277845) and 
>>>> Complete Automotive Solutions Limited (registered number: 05302535). Each 
>>>> of these companies is registered in England and Wales with the registered 
>>>> office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The 
>>>> Manheim group of companies operates under various brand/trading names 
>>>> including Manheim Inspection Services, Manheim Auctions, Manheim Direct, 
>>>> Manheim De-fleet and Manheim Aftersales Solutions.
>>>>
>>>> V:0CF72C13B2AC
>>>>
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to