Sean Hogan wrote:
Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well? If I start off playing with something you
see working without issue then maybe I can come up with something or am
I wrong thinking those might affect anything?


The only config that matters in this case is in dse.ldif because you are only testing port 636 and this is what drives it.

My config is:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150102143402Z
modifyTimestamp: 20150102143427Z
nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

What did was:

# service dirsrv stop EXAMPLE-COM
# vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
# service dirsrv start EXAMPLE-COM
# nmap ...

rob






Inactive hide details for Rob Crittenden ---04/29/2016 01:36:02
PM---Sean Hogan wrote: > Apparently making it the master ca wilRob
Crittenden ---04/29/2016 01:36:02 PM---Sean Hogan wrote: > Apparently
making it the master ca will not work at this point since the

From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date: 04/29/2016 01:36 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

------------------------------------------------------------------------



Sean Hogan wrote:
 > Apparently making it the master ca will not work at this point since the
 > replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

 >
 >
 > Sean Hogan
 >
 >
 >
 >
 >
 > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
 > I stopped IPA, modified dse.ldif, restarted with the Sean
 > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
 > dse.ldif, restarted with the cipher list and it started without is
 >
 > From: Sean Hogan/Durham/IBM
 > To: Rob Crittenden <rcrit...@redhat.com>
 > Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
 > Date: 04/29/2016 08:56 AM
 > Subject: Re: [Freeipa-users] IPA vulnerability management SSL
 >
 > ------------------------------------------------------------------------
 >
 >
 > Hi Rob,
 >
 > I stopped IPA, modified dse.ldif, restarted with the cipher list and it
 > started without issue however Same 13 ciphers. You know.. thinking about
 > this now.. I going to try something. The box I am testing on it a
 > replica master and not the first replica. I did not think this would
 > make a difference since I removed the replica from the realm before
 > testing but maybe it will not change anything thinking its stuck in the
 > old realm?
 >
 > Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
 > 11:51 EDT
 > Nmap scan report for
 > Host is up (0.000082s latency).
 > PORT STATE SERVICE
 > 636/tcp open ldapssl
 > | ssl-enum-ciphers:
 > | TLSv1.2
 > | Ciphers (13)
 > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
 > | SSL_RSA_FIPS_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 > | TLS_RSA_WITH_3DES_EDE_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA256
 > | TLS_RSA_WITH_AES_128_GCM_SHA256
 > | TLS_RSA_WITH_AES_256_CBC_SHA
 > | TLS_RSA_WITH_AES_256_CBC_SHA256
 > | TLS_RSA_WITH_DES_CBC_SHA
 > | TLS_RSA_WITH_RC4_128_MD5
 > | TLS_RSA_WITH_RC4_128_SHA
 > | Compressors (1)
 >
 > dn: cn=encryption,cn=config
 > objectClass: top
 > objectClass: nsEncryptionConfig
 > cn: encryption
 > nsSSLSessionTimeout: 0
 > nsSSLClientAuth: allowed
 > nsSSL2: off
 > nsSSL3: off
 > creatorsName: cn=server,cn=plugins,cn=config
 > modifiersName: cn=directory manager
 > createTimestamp: 20150420131850Z
 > modifyTimestamp: 20150420131906Z
 > nsSSL3Ciphers:
 > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
 >
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
 >
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
 > numSubordinates: 1
 >
 >
 >
 >
 >
 > Sean Hogan
 > Security Engineer
 > Watson Security & Risk Assurance
 > Watson Cloud Technology and Support
 > email: scho...@us.ibm.com | Tel 919 486 1397
 >
 >
 >
 >
 >
 >
 >
 > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
 > AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
 > AM---Sean Hogan wrote: > Hi Noriko,
 >
 > From: Rob Crittenden <rcrit...@redhat.com>
 > To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
 > Cc: freeipa-users@redhat.com
 > Date: 04/29/2016 08:30 AM
 > Subject: Re: [Freeipa-users] IPA vulnerability management SSL
 > ------------------------------------------------------------------------
 >
 >
 >
 > Sean Hogan wrote:
 >  > Hi Noriko,
 >  >
 >  > Thanks for the suggestions,
 >  >
 >  > I had to trim out the GCM ciphers in order to get IPA to start back up
 >  > or I would get the unknown cipher message
 >
 > The trick is getting the cipher name right (it doesn't always follow a
 > pattern) and explicitly disabling some ciphers as they are enabled by
 > default.
 >
 > Try this string:
 >
 >
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
 >
 > I have an oldish install but I think it will still do what you need:
 > 389-ds-base-1.2.11.15-68.el6_7.x86_64
 >
 > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
 > Nmap scan report for pacer.example.com (192.168.126.2)
 > Host is up (0.00053s latency).
 > PORT    STATE SERVICE
 > 636/tcp open  ldapssl
 > | ssl-enum-ciphers:
 > |   TLSv1.2:
 > |     ciphers:
 > |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
 > |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
 > |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
 > |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
 > |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
 > |       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 > |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
 > |     compressors:
 > |       NULL
 > |     cipher preference: server
 > |_  least strength: C
 >
 > Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
 >
 > $ sslscan pacer.example.com:636 |grep Accept
 >      Accepted  TLSv1  256 bits  AES256-SHA
 >      Accepted  TLSv1  128 bits  AES128-SHA
 >      Accepted  TLSv1  112 bits  DES-CBC3-SHA
 >      Accepted  TLS11  256 bits  AES256-SHA
 >      Accepted  TLS11  128 bits  AES128-SHA
 >      Accepted  TLS11  112 bits  DES-CBC3-SHA
 >      Accepted  TLS12  256 bits  AES256-SHA256
 >      Accepted  TLS12  256 bits  AES256-SHA
 >      Accepted  TLS12  128 bits  AES128-GCM-SHA256
 >      Accepted  TLS12  128 bits  AES128-SHA256
 >      Accepted  TLS12  128 bits  AES128-SHA
 >      Accepted  TLS12  112 bits  DES-CBC3-SHA
 >
 > rob
 >
 >  >
 >  > Nmap is still showing the same 13 ciphers as before though like
nothing
 >  > had changed and I did ipactl stop, made modification, ipactl start
 >  >
 >  > tarting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-28
 >  > 18:44 EDT
 >  > Nmap scan report for
 >  > Host is up (0.000053s latency).
 >  > PORT STATE SERVICE
 >  > 636/tcp open ldapssl
 >  > | ssl-enum-ciphers:
 >  > | TLSv1.2
 >  > | Ciphers (13)
 >  > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
 >  > | SSL_RSA_FIPS_WITH_DES_CBC_SHA
 >  > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 >  > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 >  > | TLS_RSA_WITH_3DES_EDE_CBC_SHA
 >  > | TLS_RSA_WITH_AES_128_CBC_SHA
 >  > | TLS_RSA_WITH_AES_128_CBC_SHA256
 >  > | TLS_RSA_WITH_AES_128_GCM_SHA256
 >  > | TLS_RSA_WITH_AES_256_CBC_SHA
 >  > | TLS_RSA_WITH_AES_256_CBC_SHA256
 >  > | TLS_RSA_WITH_DES_CBC_SHA
 >  > | TLS_RSA_WITH_RC4_128_MD5
 >  > | TLS_RSA_WITH_RC4_128_SHA
 >  > | Compressors (1)
 >  > |_ uncompressed
 >  >
 >  > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
 >  >
 >  > Current Config:
 >  >
 >  > dse.ldif
 >  > dn: cn=encryption,cn=config
 >  > objectClass: top
 >  > objectClass: nsEncryptionConfig
 >  > cn: encryption
 >  > nsSSLSessionTimeout: 0
 >  > nsSSLClientAuth: allowed
 >  > nsSSL2: off
 >  > nsSSL3: off
 >  > creatorsName: cn=server,cn=plugins,cn=config
 >  > modifiersName: cn=directory manager
 >  > createTimestamp: 20150420131850Z
 >  > modifyTimestamp: 20150420131906Z
 >  > nsSSL3Ciphers:
 >  > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_
 >  >
 >
rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha
 >  >
 >
,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
 >  > aes_256_sha,+rsa_aes_256_sha
 >  > numSubordinates: 1
 >  >
 >  >
 >  > nss.conf
 >  > # SSL 3 ciphers. SSL 2 is disabled by default.
 >  > NSSCipherSuite
 >  >
 >
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha
 >  >
 >  > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
 >  >
 >  >
 >  > Does nss.conf have anything to do with the dir srv ciphers? I know the
 >  > 389 docs says they are tied together so the way I have been looking at
 >  > it is nss.conf lists the allowed ciphers where dse.ldif lists
which ones
 >  > to use for 389 from nss.conf. Is that correct? Is there any other
place
 >  > where ciphers would be ignored?
 >  >
 >  > nss-3.19.1-8.el6_7.x86_64
 >  > sssd-ipa-1.12.4-47.el6_7.4.x86_64
 >  > ipa-client-3.0.0-47.el6_7.1.x86_64
 >  > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
 >  > ipa-pki-common-theme-9.0.3-7.el6.noarch
 >  > ipa-python-3.0.0-47.el6_7.1.x86_64
 >  > ipa-server-3.0.0-47.el6_7.1.x86_64
 >  > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
 >  > ipa-admintools-3.0.0-47.el6_7.1.x86_64
 >  > ipa-pki-ca-theme-9.0.3-7.el6.noarch
 >  > 389-ds-base-1.2.11.15-68.el6_7.x86_64
 >  > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
 >  >
 >  >
 >  > I need to get rid of any rc4s
 >  >
 >  > Sean Hogan
 >  > Security Engineer
 >  > Watson Security & Risk Assurance
 >  > Watson Cloud Technology and Support
 >  > email: scho...@us.ibm.com | Tel 919 486 1397
 >  >
 >  >
 >  >
 >  >
 >  >
 >  >
 >  > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59
PM---Thank
 >  > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi
 >  > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop,
 >  > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
 >  >
 >  > From: Noriko Hosoi <nho...@redhat.com>
 >  > To: Ludwig Krispenz <lkris...@redhat.com>, freeipa-users@redhat.com
 >  > Date: 04/28/2016 12:08 PM
 >  > Subject: Re: [Freeipa-users] IPA vulnerability management SSL
 >  > Sent by: freeipa-users-boun...@redhat.com
 >  >
 >  >
------------------------------------------------------------------------
 >  >
 >  >
 >  >
 >  > Thank you for including me in the loop, Ludwig.
 >  >
 >  > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
 >  >  > If I remember correctly we did the change in default ciphers
and the
 >  > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
 >  > adding Noriko to get confirmation.
 >  >
 >  > Ludwig is right.  The way how to set nsSSL3Ciphers has been changed
 >  > since 1.3.3 which is available on RHEL-7.
 >  >
 >  > This is one of the newly supported values of nsSSL3Ciphers:
 >  >
 >  >         Notes: if the value contains +all, then *-<cipher>*is removed
 >  >         from the list._
 >  >
 >
__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_
 >  >
 >  > On the older 389-ds-base including 389-ds-base-1.2.11.X on
RHEL-6.X, if
 >  > "+all" is found in the value, all the available ciphers are enabled.
 >  >
 >  > To workaround it, could you try explicitely setting ciphers as
follows?
 >  > nsSSL3Ciphers:
 >  >
 >
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
 >  >
 >
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
 >  >
 >
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha
 >  >
 >  > Thanks,
 >  > --noriko
 >  >
 >  > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
 >  >
 >  >         wanted to add Noriko, but hit send to quickly
 >  >
 >  >         On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
 >  >
 >  >                 On 04/28/2016 12:06 PM, Martin Kosek wrote:
 >  >                         On 04/28/2016 01:23 AM, Sean Hogan wrote:
 >  >                                 Hi Martin,
 >  >
 >  >                                 No joy on placing - in front of
the RC4s
 >  >
 >  >
 >  >                                 I modified my nss.conf to now read
 >  >                                 # SSL 3 ciphers. SSL 2 is disabled by
 >  >                                 default.
 >  >                                 NSSCipherSuite
 >  >
 >
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
 >  >
 >  >
 >  >                                 # SSL Protocol:
 >  >                                 # Cryptographic protocols that provide
 >  >                                 communication security.
 >  >                                 # NSS handles the specified
protocols as
 >  >                                 "ranges", and automatically
 >  >                                 # negotiates the use of the strongest
 >  >                                 protocol for a connection starting
 >  >                                 # with the maximum specified protocol
 >  >                                 and downgrading as necessary to the
 >  >                                 # minimum specified protocol that
can be
 >  >                                 used between two processes.
 >  >                                 # Since all protocol ranges are
 >  >                                 completely inclusive, and no
protocol in
 >  >                                 the
 >  >                                 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
 >  >
 >  >                                 dse.ldif
 >  >
 >  >                                 dn: cn=encryption,cn=config
 >  >                                 objectClass: top
 >  >                                 objectClass: nsEncryptionConfig
 >  >                                 cn: encryption
 >  >                                 nsSSLSessionTimeout: 0
 >  >                                 nsSSLClientAuth: allowed
 >  >                                 nsSSL2: off
 >  >                                 nsSSL3: off
 >  >                                 creatorsName:
 >  >                                 cn=server,cn=plugins,cn=config
 >  >                                 modifiersName: cn=directory manager
 >  >                                 createTimestamp: 20150420131850Z
 >  >                                 modifyTimestamp: 20150420131906Z
 >  >                                 nsSSL3Ciphers:
 >  >
 > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 >  >
 >  >                                 _56_sha,-tls_dhe_dss_1024_rc4_sha
 >  >                                 numSubordinates: 1
 >  >
 >  >
 >  >
 >  >                                 But I still get this with nmap.. I
 >  >                                 thought the above would remove
 >  >
-tls_rsa_export1024_with_rc4_56_sha but
 >  >                                 still showing. Is it the fact that I
 > am not
 >  >                                 offering
 >  >
-tls_rsa_export1024_with_rc4_56_sha? If
 >  >                                 so.. not really understanding
 >  >                                 where it is coming from cept the +all
 >  >                                 from DS but the - should be negating
 > that?
 >  >
 >  >                                 Starting Nmap 5.51 ( _http://nmap.org_
 >  >                                 <http://nmap.org/>_<http://nmap.org/>_
 >  >                                 <http://nmap.org/>) at 2016-04-27
 > 17:37 EDT
 >  >                                 Nmap scan report for
 >  >                                 Host is up (0.000086s latency).
 >  >                                 PORT STATE SERVICE
 >  >                                 636/tcp open ldapssl
 >  >                                 | ssl-enum-ciphers:
 >  >                                 | TLSv1.2
 >  >                                 | Ciphers (13)
 >  >                                 | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
 >  >                                 | SSL_RSA_FIPS_WITH_DES_CBC_SHA
 >  >                                 | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 >  >                                 | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 >  >                                 | TLS_RSA_WITH_3DES_EDE_CBC_SHA
 >  >                                 | TLS_RSA_WITH_AES_128_CBC_SHA
 >  >                                 | TLS_RSA_WITH_AES_128_CBC_SHA256
 >  >                                 | TLS_RSA_WITH_AES_128_GCM_SHA256
 >  >                                 | TLS_RSA_WITH_AES_256_CBC_SHA
 >  >                                 | TLS_RSA_WITH_AES_256_CBC_SHA256
 >  >                                 | TLS_RSA_WITH_DES_CBC_SHA
 >  >                                 | TLS_RSA_WITH_RC4_128_MD5
 >  >                                 | TLS_RSA_WITH_RC4_128_SHA
 >  >                                 | Compressors (1)
 >  >                                 |_ uncompressed
 >  >
 >  >                                 Nmap done: 1 IP address (1 host up)
 >  >                                 scanned in 0.32 seconds
 >  >
 >  >
 >  >
 >  >                                 It seems no matter what config I put
 >  >                                 into nss.conf or dse.ldif nothing
changes
 >  >                                 with my nmap results. Is there
supposed
 >  >                                 to be a be a section to add TLS
ciphers
 >  >                                 instead of SSL Not sure now, CCing
 > Ludwig who was involved in
 >  >                         the original RHEL-6
 >  >                         implementation. If I remember correctly we
 > did the change in default
 >  >                 ciphers and the option for handling in 389-ds > 1.3.3,
 >  >                 so it would not be in RHEL6, adding Noriko to get
 >  >                 confirmation.
 >  >
 >  >                 but the below comments about changing ciphers in
 >  >                 dse.ldif could help in using the "old" way to set
ciphers
 >  >                         Just to be sure, when you are modifying
 >  >                         dse.ldif, the procedure
 >  >                         should be always following:
 >  >
 >  >                         1) Stop Directory Server service
 >  >                         2) Modify dse.ldif
 >  >                         3) Start Directory Server service
 >  >
 >  >                         Otherwise it won't get applied and will get
 >  >                         overwritten later.
 >  >
 >  >                         In any case, the ciphers with RHEL-6 should be
 >  >                         secure enough, the ones in
 >  >                         FreeIPA 4.3.1 should be even better. This
is for
 >  >                         example an nmap taken on
 >  >                         FreeIPA Demo instance that runs on FreeIPA
4.3.1:
 >  >
 >  >                         $ nmap --script ssl-enum-ciphers -p 636
 >  >                         ipa.demo1.freeipa.org
 >  >
 >  >                         Starting Nmap 7.12 ( _https://nmap.org_
 >  >                         <https://nmap.org/>) at 2016-04-28 12:02 CEST
 >  >                         Nmap scan report for ipa.demo1.freeipa.org
 >  >                         (209.132.178.99)
 >  >                         Host is up (0.18s latency).
 >  >                         PORT    STATE SERVICE
 >  >                         636/tcp open  ldapssl
 >  >                         | ssl-enum-ciphers:
 >  >                         |   TLSv1.2:
 >  >                         |     ciphers:
 >  >                         |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 >  >                         (secp256r1) - A
 >  >                         |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 >  >                         (secp256r1) - A
 >  >                         |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 >  >                         (secp256r1) - A
 >  >                         |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 >  >                         (secp256r1) - A
 >  >                         |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh
 >  >                         2048) - A
 >  >                         |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh
 >  >                         2048) - A
 >  >                         |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh
 >  >                         2048) - A
 >  >                         |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh
 >  >                         2048) - A
 >  >                         |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh
 >  >                         2048) - A
 >  >                         |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa
 >  >                         2048) - A
 >  >                         |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa
 > 2048) - A
 >  >                         |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa
 >  >                         2048) - A
 >  >                         |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa
 > 2048) - A
 >  >                         |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa
 >  >                         2048) - A
 >  >                         |     compressors:
 >  >                         |       NULL
 >  >                         |     cipher preference: server
 >  >                         |_  least strength: A
 >  >
 >  >                         Nmap done: 1 IP address (1 host up) scanned in
 >  >                         21.12 seconds
 >  >
 >  >                         Martin
 >  >
 >  > --
 >  > Manage your subscription for the Freeipa-users mailing list:
 >  > https://www.redhat.com/mailman/listinfo/freeipa-users
 >  > Go to http://freeipa.org for more info on the project
 >  >
 >  >
 >  >
 >  >
 >
 >
 >
 >
 >





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to