I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.000078s latency).
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (13)
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
The remote host supports the use of RC4 in one or more cipher
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

So I do see RC4 and the exports so I guess I can - those in the dse.ldif

From:   Sean Hogan/Durham/IBM
To:     Martin Kosek <mko...@redhat.com>
Cc:     freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 09:33 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin,

   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.

Sean Hogan

From:   Martin Kosek <mko...@redhat.com>
To:     Sean Hogan/Durham/IBM@IBMUS, freeipa-users
Date:   04/27/2016 01:43 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL

On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
> We currently have 7 ipa servers in multi master running:
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this


Further hardening comes with FreeIPA 4.3.1+:

(it should appear in RHEL-7.3+)


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to