On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > # SSL Protocol: > # Cryptographic protocols that provide communication security. > # NSS handles the specified protocols as "ranges", and automatically > # negotiates the use of the strongest protocol for a connection starting > # with the maximum specified protocol and downgrading as necessary to the > # minimum specified protocol that can be used between two processes. > # Since all protocol ranges are completely inclusive, and no protocol in the > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > dse.ldif > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > _56_sha,-tls_dhe_dss_1024_rc4_sha > numSubordinates: 1 > > > > But I still get this with nmap.. I thought the above would remove > -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I > am not > offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really > understanding > where it is coming from cept the +all from DS but the - should be negating > that? > > Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-27 17:37 > EDT > Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) > Host is up (0.000086s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds > > > > It seems no matter what config I put into nss.conf or dse.ldif nothing > changes > with my nmap results. Is there supposed to be a be a section to add TLS > ciphers > instead of SSL
Not sure now, CCing Ludwig who was involved in the original RHEL-6 implementation. Just to be sure, when you are modifying dse.ldif, the procedure should be always following: 1) Stop Directory Server service 2) Modify dse.ldif 3) Start Directory Server service Otherwise it won't get applied and will get overwritten later. In any case, the ciphers with RHEL-6 should be secure enough, the ones in FreeIPA 4.3.1 should be even better. This is for example an nmap taken on FreeIPA Demo instance that runs on FreeIPA 4.3.1: $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) Host is up (0.18s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project