On Tue, 26 Apr 2016, Sean Hogan wrote:



Hello,

 We currently have 7 ipa servers in multi master running:

ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64

Tenable is showing the use of weak ciphers along with freak
vulnerabilities.  I have followed
https://access.redhat.com/solutions/675183 however issues remain in the
ciphers being used.
$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.



I have also modified dse.ldif with the following from
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

With ipa stopped I modified dse with  below

odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1

I turn on ipa and get
Starting Directory Service
Starting dirsrv:
   PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed

So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)
attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.


nss.conf


# new config to stop using weak ciphers.
NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
  SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


server.xml

              clientAuth="true"
              sslOptions="ssl2=off,ssl3=off,tls=true"

ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"





Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?
FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on

Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to