For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0

Directory server change suggested on the link are for an older version.
Minimum TLS support can be altered as follows:

*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*

dn: cn=encryption,cn=config

allowWeakCipher: off

cn: encryption

createTimestamp: 20161130110528Z

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=Directory Manager

modifyTimestamp: 20161213085006Z

nsSSLClientAuth: allowed

nsSSLSessionTimeout: 0

nsSSL3Ciphers: default

objectClass: top

objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2

I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
article however its all tokenized as shown below:

203            sslOptions="[TOMCAT_SSL_OPTIONS]"
204            ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205            ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206            tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207            sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208            sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209            sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

I'll feed back if i work it out.

Thanks,

On Thu, Apr 27, 2017 at 8:22 PM Callum Guy <callum....@x-on.co.uk> wrote:

> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
> i run into any issues - i find it difficult to locate these help pages so
> really do appreciate the advice
>
> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Callum Guy wrote:
>> > Hi All,
>> >
>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>> > assessment.
>> >
>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>> > non-compliant for my environment.
>> >
>> > Also i'm very much hoping not to break my installation!
>> >
>> > Does anyone have experience in this area?
>>
>> It depends very much on what version you are running but see
>> https://access.redhat.com/articles/2801181 for inspiration.
>>
>> rob
>>
>>

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel> 
  <https://twitter.com/xonuk> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to