Hello,
We currently have 7 ipa servers in multi master running: ipa-server-3.0.0-47.el6_7.1.x86_64 389-ds-base-1.2.11.15-68.el6_7.x86_64 Tenable is showing the use of weak ciphers along with freak vulnerabilities. I have followed https://access.redhat.com/solutions/675183 however issues remain in the ciphers being used. I have also modified dse.ldif with the following from http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports With ipa stopped I modified dse with below odifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha allowWeakCipher: off numSubordinates: 1 I turn on ipa and get Starting Directory Service Starting dirsrv: PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry "cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed So I go back into the file and allowWeakCipher now shows allowweakcipher (caps for W and C are now lower case) nss.conf # new config to stop using weak ciphers. NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 server.xml clientAuth="true" sslOptions="ssl2=off,ssl3=off,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" Is there a config for this version of IPA/DS somewhere that will pass poodle, freak, null ciphers scanning or only allow strong ciphers? Sean Hogan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
