Hi Martin,

  No joy on placing - in front of the RC4s


I modified my nss.conf  to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

#   SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing.  Is it the fact that
I am not
offering -tls_rsa_export1024_with_rc4_56_sha?  If so.. not really
understanding where it is coming from cept the +all from DS but the -
should be negating that?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (13)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       SSL_RSA_FIPS_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif nothing
changes with my nmap results.  Is there supposed to be a be a section to
add TLS ciphers instead of SSL



Sean Hogan







From:   Sean Hogan/Durham/IBM
To:     Martin Kosek <mko...@redhat.com>
Cc:     freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 09:59 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL




I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.000078s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (13)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       SSL_RSA_FIPS_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.


And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.


So I do see RC4 and the exports so I guess I can - those in the dse.ldif





From:   Sean Hogan/Durham/IBM
To:     Martin Kosek <mko...@redhat.com>
Cc:     freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 09:33 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL


Hi Martin,


   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.



Sean Hogan








From:   Martin Kosek <mko...@redhat.com>
To:     Sean Hogan/Durham/IBM@IBMUS, freeipa-users
            <freeipa-users@redhat.com>
Date:   04/27/2016 01:43 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL



On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
>
> We currently have 7 ipa servers in multi master running:
>
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
>
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
ciphers
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to