Hey guys.. yes I so want to upgrade to 4.x however not in my control right now and can not really discuss. I see us stuck at 3.x for a while.
Sean Hogan From: Sean Hogan/Durham/IBM To: Ludwig Krispenz <lkris...@redhat.com> Cc: email@example.com, Noriko Hosoi <nho...@redhat.com> Date: 04/28/2016 08:20 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til it comes back up. Sean Hogan From: Ludwig Krispenz <lkris...@redhat.com> To: firstname.lastname@example.org, Noriko Hosoi <nho...@redhat.com> Date: 04/28/2016 04:46 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-boun...@redhat.com wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (18.104.22.168) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project