Prasun Gera wrote:
> Can someone at RH update this
> article https://access.redhat.com/articles/1467293 ? I found it to be
> fairly useful, but I'm not sure if it's up to date. 

mod_nss was rebased from 1.0.8 to 1.0.10 in 7.2 which added TLSv1.2
support. I'll notify the author.

rob

> 
> On Thu, Jan 28, 2016 at 11:04 AM, Terry John
> <terry.j...@completeautomotivesolutions.co.uk
> <mailto:terry.j...@completeautomotivesolutions.co.uk>> wrote:
> 
>     Ok thanks for that but I've had to give up, our freeipa server is
>     too critical to our business for me to continue even with outages of
>     one or two minutes.
> 
>     The Ciphers below were not recognised and when I just tried to
>     remove the export ciphers from the original list I got this error
>     (Netscape Portable Runtime error -12266 - An unknown SSL cipher
>     suite has been requested.)
> 
>     A type or a fundamental problem I don't know.
> 
>     I am working in an AWS environment and have tried making a clone and
>     working on that but freeipa just gets confused and stops. I suppose
>     another alternative is to build a freeipa server from scratch and
>     work on that. Seems an awful lot of work to remove one cipher :-(
> 
>     terry
> 
>     -----Original Message-----
>     From: Rob Crittenden [mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>]
>     Sent: 28 January 2016 14:35
>     To: Terry John; Marat Vyshegorodtsev; freeipa-users@redhat.com
>     <mailto:freeipa-users@redhat.com>
>     Subject: Re: [Freeipa-users] FREAK Vulnerability
> 
>     Terry John wrote:
>     > I'm really confused now. After the problem where my feeipa server
>     would not start and I had to use the backup I'm trying to do things
>     in small steps.
>     >
>     > Listening to everything that has been said (thanks) I edited
>     > slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
>     >
>     > nsSSL3Ciphers:  <My-Original-Ciphers>
>     > to
>     > nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_g
>     > cm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+
>     > ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
>     > 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes
>     > _128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_25
>     > 6_sha
>     > (There is a space after the colon)
>     >
>     > Then I did a 'service ip restart' and when I looked the dse.ldif
>     files had reverted back to their original settings..
>     >
>     > Where am I going wrong?
> 
>     dse.ldif is written out when the server shuts down so any changes
>     you make to it while 389-ds is running are lost.
> 
>     rob
> 
>     >
>     > Terry
>     >
>     >
>     > -----Original Message-----
>     > From: Rob Crittenden [mailto:rcrit...@redhat.com
>     <mailto:rcrit...@redhat.com>]
>     > Sent: 28 January 2016 04:49
>     > To: Marat Vyshegorodtsev; Terry John; freeipa-users@redhat.com
>     <mailto:freeipa-users@redhat.com>
>     > Subject: Re: [Freeipa-users] FREAK Vulnerability
>     >
>     > Marat Vyshegorodtsev wrote:
>     >> My two cents:
>     >>
>     >> My "magic" string for NSS is like this (I had to move to Fedora 23
>     >> from CentOS in order to get more recent NSS version though):
>     >>
>     >> NSSProtocol TLSv1.2
>     >> NSSCipherSuite
>     >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
>     >> s
>     >> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecds
>     >> a
>     >> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_2
>     >> 5
>     >> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecds
>     >> a
>     >> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>     >
>     > The -All is a syntax error (ignored). All ciphers are disabled by
>     default anyway.
>     >
>     > I'd suggest using the ticket already referenced as a starting point.
>     >
>     > /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see
>     what is enabled by default in NSS (though again, everything is
>     disabled by mod_nss at startup).
>     >
>     > rob
>     >
>     >>
>     >> My cert is ECDSA private CA though. If you are interested, I can give
>     >> you my chef recipe snippets to configure it.
>     >>
>     >> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev
>     >> <marat.vyshegorodt...@gmail.com
>     <mailto:marat.vyshegorodt...@gmail.com>> wrote:
>     >>> My two cents:
>     >>>
>     >>> My "magic" string for NSS is like this (I had to move to Fedora 23
>     >>> from CentOS in order to get more recent NSS version though):
>     >>>
>     >>> NSSProtocol TLSv1.2
>     >>> NSSCipherSuite
>     >>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_a
>     >>> e
>     >>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ec
>     >>> d
>     >>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sh
>     >>> a
>     >>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_
>     >>> e
>     >>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
>     >>>
>     >>> My cert is ECDSA private CA though. If you are interested, I can
>     >>> give you my chef recipe snippets to configure it.
>     >>>
>     >>> Marat
>     >>>
>     >>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John
>     >>> <terry.j...@completeautomotivesolutions.co.uk
>     <mailto:terry.j...@completeautomotivesolutions.co.uk>> wrote:
>     >>>>>> I've been trying to tidy the security on my FreeIPA and this is
>     >>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner
>     >>>>>> and it is coming up with this issue
>     >>>>>>
>     >>>>>> EXPORT_RSA cipher suites supported by the remote server:
>     >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>     >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>     >>>>>>
>     >>>>>> It seems we have to disable export  TLS ciphers but I can't
>     see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL
>     and TLSV1.0.
>     >>>>>
>     >>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
>     >>>>>>
>     >>>>>> I've restarted httpd and ipa but it still fails
>     >>>>>>
>     >>>>>> Is there something I have overlooked
>     >>>>
>     >>>>
>     >>>>> Hi Terry,
>     >>>>>
>     >>>>> Please check
>     >>>>> https://fedorahosted.org/freeipa/ticket/5589
>     >>>>>
>     >>>>> We are trying to come up with a better cipher suite right now.
>     The fix should be in some of the next FreeIPA 4.3.x versions.
>     >>>>>
>     >>>>> The ticket has more details in it.
>     >>>>
>     >>>> Thanks for the info. I have tried nearly all the NSSCipherSuite
>     settings in that ticket but none so far has eliminated the FREAK report.
>     >>>> Christian thanks for the heads up on the syntax, I wasn't sure of
>     >>>> what I was doing
>     >>>>
>     >>>> Each time I've made a change I've run an sslscan from the
>     OpenVAS scanner and I do get a different result each time but the
>     errors still remains in OpenVAS.
>     >>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>     >>>>
>     >>>> Back to the drawing board :-)
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> The Manheim group of companies within the UK comprises: Manheim
>     Europe Limited (registered number: 03183918), Manheim Auctions
>     Limited (registered number: 00448761), Manheim Retail Services
>     Limited (registered number: 02838588), Motors.co.uk
>     <http://Motors.co.uk> Limited (registered number: 05975777), Real
>     Time Communications Limited (registered number: 04277845) and
>     Complete Automotive Solutions Limited (registered number: 05302535).
>     Each of these companies is registered in England and Wales with the
>     registered office address of Central House, Leeds Road, Rothwell,
>     Leeds LS26 0JE. The Manheim group of companies operates under
>     various brand/trading names including Manheim Inspection Services,
>     Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim
>     Aftersales Solutions.
>     >>>>
>     >>>> V:0CF72C13B2AC
>     >>>>
>     >>>>
>     >>>>
>     >>>> --
>     >>>> Manage your subscription for the Freeipa-users mailing list:
>     >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>     >>>> Go to http://freeipa.org for more info on the project
>     >>
>     >
> 
> 
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to