On Wed, 27 Apr 2016, Sean Hogan wrote:
Hello Alexander I knew the below which is why I added my DS rpm version in the orig email which made sense to me but per 389 DS docs alloowweakcipher starts in 1.3.3.2 in case anyone else reads this. At least thats what the docs say but you may know something where it actually does not work til 1.3.4.0. I dunno http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html Additionally I want to clarify the comment 4.3.1 has this as default setup. Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a stronger ssl config and that anyone who needs tighter cipher control needs to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults in 4.3.1 reflect current status quo on SSL ciphers. If you want to have a similar setup with 3.0.47, you are welcome to improve the configuration based on the effort we did for 4.3.1. Notice that I said nothing about incapability of either deployment to handle this, not sure where you were able to read that from. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project