On 09.03.2016 04:47, Fraser Tweedale wrote:
On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5684
patch attached
I think the comment in install/updates/20-sslciphers.update should
be updated. Apart from that, ACK.
Cheers,
Fraser
Thanks,
updated patch attached.
Martin^2
From a8073284ccf37beff8f5767866ae9d8eb2c235d6 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Thu, 3 Mar 2016 17:39:34 +0100
Subject: [PATCH] Configure 389ds with "default" cipher suite
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
---
install/updates/20-sslciphers.update | 6 +++---
ipaserver/install/dsinstance.py | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
index b0c952f498bc89568029f1d01eaded4db1371c76..978a44ba40f34265e0534c461822c06135a3a2bd 100644
--- a/install/updates/20-sslciphers.update
+++ b/install/updates/20-sslciphers.update
@@ -1,6 +1,6 @@
# change configured ciphers
-# the result of this update will be that all ciphers
-# provided by NSS which ar not weak will be enabled
+# the result of this update will be that default ciphers
+# provided by DS which are not weak will be enabled
dn: cn=encryption,cn=config
-only:nsSSL3Ciphers: +all
+only:nsSSL3Ciphers: default
addifnew:allowWeakCipher: off
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c54b01da7687d5812790518a2b8e00256001e5e..741dda91f3ceb6b4aff3419790f746d69adf5e16 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -777,7 +777,7 @@ class DsInstance(service.Service):
conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
- (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
@@ -1240,7 +1240,7 @@ class DsInstance(service.Service):
conn.do_external_bind('root')
mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
- (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+ (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
(ldap.MOD_REPLACE, "allowWeakCipher", "off")]
conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
--
2.5.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code