Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 2016-02-11 14:43, Martin Kosek wrote: >> Pushed to: >> master: 5ac3a3cee534a16db86c541b9beff4939f03410e >> ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b >> > > Very cool! Thanks guys! Looking forward to deploying FreeIPA 4.3.1 on the > FreeIPA public demo :-) I have to change the cipher list again in the near future. During DevConf.CZ Bob pointed out some issues with key sizes in post quantum crypto world [1]. Rob and I are working on a patch for mod_nss for finite field ephemeral DH key exchange. Once the patch has landed, I'll update the cipher list to support also kDHE. Christian [1] https://devconfcz2016.sched.org/event/5m21/post-quantum-crypo-what-is-it-and-do-we-need-it signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 03.02.2016 15:35, Christian Heimes wrote: On 2016-01-29 15:05, Martin Basti wrote: On 29.01.2016 14:42, Christian Heimes wrote: On 2016-01-28 09:47, Martin Basti wrote: On 22.01.2016 12:32, Martin Kosek wrote: On 01/21/2016 04:21 PM, Christian Heimes wrote: The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. Hello, I'm not sure if I'm the right person to do review on this, but I will try :-) 1) Your patch adds whitespace error Applying: Modernize mod_nss's cipher suites /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank line at EOF. + warning: 1 line adds whitespace errors. 2) +import urllib.request # pylint: disable=E0611 Please specify pylint disabled check by name 3) +def update_mod_nss_cipher_suite(http): in this upgrade, is there any possibility that ciphers might be upgraded again in future? (IMO yes). I think, it can be better to store revision of change instead of boolean LAST_REVISION = 1 if revision >= LAST_REVISION: return sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', LAST_REVISION) Thanks for the review. I have addressed the problems. Instead of a revision number I'm using a date string. The sysupgrade module only stores str and bool. With a date-based revision it's easy to see when the cipher suite was checked last time. Christian Thanks 1) Pylint :-) +with urllib.request.urlopen(SOURCE) as r: # pylint: disable=E1101 Thanks! It was easier to change the import to get rid of the second pylint stanza. 2) +if revision == httpinstance.NSS_CIPHER_REVISION: may happen a case where just comparation with '==' can cause a issues (docker world)? Should not be there rather '>='? Makes sense, I've changed the comparison operator to >=. This may still override user settings, though. 3) +root_logger.info("Cipher suite already updated") Sorry that I did not noticed earlier, this should be just debug level, IMO this message is not so important, it will cause only mess on output (we already have plenty of unneeded info messages in upgrade, they will be fixed once) Fine with me :) Christian ACK Pushed to: master: 5ac3a3cee534a16db86c541b9beff4939f03410e ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 02/11/2016 10:45 AM, Martin Basti wrote: > > > On 03.02.2016 15:35, Christian Heimes wrote: >> On 2016-01-29 15:05, Martin Basti wrote: >>> >>> On 29.01.2016 14:42, Christian Heimes wrote: On 2016-01-28 09:47, Martin Basti wrote: > On 22.01.2016 12:32, Martin Kosek wrote: >> On 01/21/2016 04:21 PM, Christian Heimes wrote: >>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf >>> has been modernized. Insecure or less secure algorithms such as RC4, >>> DES and 3DES are removed. Perfect forward secrecy suites with >>> ephemeral >>> ECDH key exchange have been added. IE 8 on Windows XP is no longer >>> supported. >>> >>> The list of enabled cipher suites has been generated with the script >>> contrib/nssciphersuite/nssciphersuite.py. >>> >>> The supported suites are currently: >>> >>> TLS_RSA_WITH_AES_128_CBC_SHA256 >>> TLS_RSA_WITH_AES_256_CBC_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> TLS_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_RSA_WITH_AES_128_CBC_SHA >>> TLS_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_RSA_WITH_AES_256_CBC_SHA >>> >>> https://fedorahosted.org/freeipa/ticket/5589 >> Thanks for the patch! I updated the ticket to make sure this change is >> release notes. >> > Hello, > > I'm not sure if I'm the right person to do review on this, but I will > try :-) > > 1) > Your patch adds whitespace error > > Applying: Modernize mod_nss's cipher suites > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank > line at EOF. > + > warning: 1 line adds whitespace errors. > > > 2) > +import urllib.request # pylint: disable=E0611 > > Please specify pylint disabled check by name > > 3) > +def update_mod_nss_cipher_suite(http): > > in this upgrade, is there any possibility that ciphers might be upgraded > again in future? (IMO yes). > > I think, it can be better to store revision of change instead of boolean > > LAST_REVISION = 1 > > if revision >= LAST_REVISION: > return > > sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', > LAST_REVISION) Thanks for the review. I have addressed the problems. Instead of a revision number I'm using a date string. The sysupgrade module only stores str and bool. With a date-based revision it's easy to see when the cipher suite was checked last time. Christian >>> Thanks >>> >>> 1) Pylint :-) >>> +with urllib.request.urlopen(SOURCE) as r: # pylint: disable=E1101 >> Thanks! It was easier to change the import to get rid of the second >> pylint stanza. >> >>> 2) >>> +if revision == httpinstance.NSS_CIPHER_REVISION: >>> >>> may happen a case where just comparation with '==' can cause a issues >>> (docker world)? Should not be there rather '>='? >> Makes sense, I've changed the comparison operator to >=. This may still >> override user settings, though. >> >>> 3) >>> +root_logger.info("Cipher suite already updated") >>> >>> Sorry that I did not noticed earlier, this should be just debug level, >>> IMO this message is not so important, it will cause only mess on output >>> (we already have plenty of unneeded info messages in upgrade, they will >>> be fixed once) >> Fine with me :) >> >> Christian > ACK > > Pushed to: > master: 5ac3a3cee534a16db86c541b9beff4939f03410e > ipa-4-3: c3496a4a4893c75789bdf0c617e46923361fb43b > Very cool! Thanks guys! Looking forward to deploying FreeIPA 4.3.1 on the FreeIPA public demo :-) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 2016-01-29 15:05, Martin Basti wrote: > > > On 29.01.2016 14:42, Christian Heimes wrote: >> On 2016-01-28 09:47, Martin Basti wrote: >>> >>> On 22.01.2016 12:32, Martin Kosek wrote: On 01/21/2016 04:21 PM, Christian Heimes wrote: > The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf > has been modernized. Insecure or less secure algorithms such as RC4, > DES and 3DES are removed. Perfect forward secrecy suites with > ephemeral > ECDH key exchange have been added. IE 8 on Windows XP is no longer > supported. > > The list of enabled cipher suites has been generated with the script > contrib/nssciphersuite/nssciphersuite.py. > > The supported suites are currently: > > TLS_RSA_WITH_AES_128_CBC_SHA256 > TLS_RSA_WITH_AES_256_CBC_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_AES_128_GCM_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_GCM_SHA384 > TLS_RSA_WITH_AES_256_CBC_SHA > > https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. >>> Hello, >>> >>> I'm not sure if I'm the right person to do review on this, but I will >>> try :-) >>> >>> 1) >>> Your patch adds whitespace error >>> >>> Applying: Modernize mod_nss's cipher suites >>> /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank >>> line at EOF. >>> + >>> warning: 1 line adds whitespace errors. >>> >>> >>> 2) >>> +import urllib.request # pylint: disable=E0611 >>> >>> Please specify pylint disabled check by name >>> >>> 3) >>> +def update_mod_nss_cipher_suite(http): >>> >>> in this upgrade, is there any possibility that ciphers might be upgraded >>> again in future? (IMO yes). >>> >>> I think, it can be better to store revision of change instead of boolean >>> >>> LAST_REVISION = 1 >>> >>> if revision >= LAST_REVISION: >>> return >>> >>> sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', >>> LAST_REVISION) >> Thanks for the review. I have addressed the problems. Instead of a >> revision number I'm using a date string. The sysupgrade module only >> stores str and bool. With a date-based revision it's easy to see when >> the cipher suite was checked last time. >> >> Christian >> > > Thanks > > 1) Pylint :-) > +with urllib.request.urlopen(SOURCE) as r: # pylint: disable=E1101 Thanks! It was easier to change the import to get rid of the second pylint stanza. > 2) > +if revision == httpinstance.NSS_CIPHER_REVISION: > > may happen a case where just comparation with '==' can cause a issues > (docker world)? Should not be there rather '>='? Makes sense, I've changed the comparison operator to >=. This may still override user settings, though. > > 3) > +root_logger.info("Cipher suite already updated") > > Sorry that I did not noticed earlier, this should be just debug level, > IMO this message is not so important, it will cause only mess on output > (we already have plenty of unneeded info messages in upgrade, they will > be fixed once) Fine with me :) Christian From c8adc1472e06242d02119b39f3ac94413cab4229 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 21 Jan 2016 16:09:10 +0100 Subject: [PATCH] Modernize mod_nss's cipher suites The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Signed-off-by: Christian Heimes --- contrib/nssciphersuite/README.txt| 37 contrib/nssciphersuite/nssciphersuite.py | 148 +++ ipaserver/install/httpinstance.py| 19 ipaserver/install/server/upgrade.py | 18 4 files changed, 222 insertions(+) create mode 100644 contrib/nssciphersuite/README.txt create
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 2016-01-28 09:47, Martin Basti wrote: > > > On 22.01.2016 12:32, Martin Kosek wrote: >> On 01/21/2016 04:21 PM, Christian Heimes wrote: >>> The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf >>> has been modernized. Insecure or less secure algorithms such as RC4, >>> DES and 3DES are removed. Perfect forward secrecy suites with ephemeral >>> ECDH key exchange have been added. IE 8 on Windows XP is no longer >>> supported. >>> >>> The list of enabled cipher suites has been generated with the script >>> contrib/nssciphersuite/nssciphersuite.py. >>> >>> The supported suites are currently: >>> >>> TLS_RSA_WITH_AES_128_CBC_SHA256 >>> TLS_RSA_WITH_AES_256_CBC_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> TLS_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_RSA_WITH_AES_128_CBC_SHA >>> TLS_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_RSA_WITH_AES_256_CBC_SHA >>> >>> https://fedorahosted.org/freeipa/ticket/5589 >> >> Thanks for the patch! I updated the ticket to make sure this change is >> release notes. >> > Hello, > > I'm not sure if I'm the right person to do review on this, but I will > try :-) > > 1) > Your patch adds whitespace error > > Applying: Modernize mod_nss's cipher suites > /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank > line at EOF. > + > warning: 1 line adds whitespace errors. > > > 2) > +import urllib.request # pylint: disable=E0611 > > Please specify pylint disabled check by name > > 3) > +def update_mod_nss_cipher_suite(http): > > in this upgrade, is there any possibility that ciphers might be upgraded > again in future? (IMO yes). > > I think, it can be better to store revision of change instead of boolean > > LAST_REVISION = 1 > > if revision >= LAST_REVISION: > return > > sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', > LAST_REVISION) Thanks for the review. I have addressed the problems. Instead of a revision number I'm using a date string. The sysupgrade module only stores str and bool. With a date-based revision it's easy to see when the cipher suite was checked last time. Christian From bf5fcde74a7e4af953d4f45538655954d1837a23 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 21 Jan 2016 16:09:10 +0100 Subject: [PATCH] Modernize mod_nss's cipher suites The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Signed-off-by: Christian Heimes --- contrib/nssciphersuite/README.txt| 37 contrib/nssciphersuite/nssciphersuite.py | 148 +++ ipaserver/install/httpinstance.py| 19 ipaserver/install/server/upgrade.py | 18 4 files changed, 222 insertions(+) create mode 100644 contrib/nssciphersuite/README.txt create mode 100755 contrib/nssciphersuite/nssciphersuite.py diff --git a/contrib/nssciphersuite/README.txt b/contrib/nssciphersuite/README.txt new file mode 100644 index ..725f2588b7840dc9cc22d9c03d6cb205f5c9fc09 --- /dev/null +++ b/contrib/nssciphersuite/README.txt @@ -0,0 +1,37 @@ +Cipher suite for mod_nss + + +The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and +creates a list of secure cipher suites for TLS. The script filters out +insecure, obsolete and slow ciphers according to some rules. + +As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14 +cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The +cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH +key exchange. https://www.ssllabs.com/ gives a 'A' grade. + +Note: +No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8 +support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA. + +# disabled cipher attributes:
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 29.01.2016 14:42, Christian Heimes wrote: On 2016-01-28 09:47, Martin Basti wrote: On 22.01.2016 12:32, Martin Kosek wrote: On 01/21/2016 04:21 PM, Christian Heimes wrote: The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. Hello, I'm not sure if I'm the right person to do review on this, but I will try :-) 1) Your patch adds whitespace error Applying: Modernize mod_nss's cipher suites /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank line at EOF. + warning: 1 line adds whitespace errors. 2) +import urllib.request # pylint: disable=E0611 Please specify pylint disabled check by name 3) +def update_mod_nss_cipher_suite(http): in this upgrade, is there any possibility that ciphers might be upgraded again in future? (IMO yes). I think, it can be better to store revision of change instead of boolean LAST_REVISION = 1 if revision >= LAST_REVISION: return sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', LAST_REVISION) Thanks for the review. I have addressed the problems. Instead of a revision number I'm using a date string. The sysupgrade module only stores str and bool. With a date-based revision it's easy to see when the cipher suite was checked last time. Christian Thanks 1) Pylint :-) +with urllib.request.urlopen(SOURCE) as r: # pylint: disable=E1101 2) +if revision == httpinstance.NSS_CIPHER_REVISION: may happen a case where just comparation with '==' can cause a issues (docker world)? Should not be there rather '>='? 3) +root_logger.info("Cipher suite already updated") Sorry that I did not noticed earlier, this should be just debug level, IMO this message is not so important, it will cause only mess on output (we already have plenty of unneeded info messages in upgrade, they will be fixed once) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 22.01.2016 12:32, Martin Kosek wrote: On 01/21/2016 04:21 PM, Christian Heimes wrote: The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. Hello, I'm not sure if I'm the right person to do review on this, but I will try :-) 1) Your patch adds whitespace error Applying: Modernize mod_nss's cipher suites /home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank line at EOF. + warning: 1 line adds whitespace errors. 2) +import urllib.request # pylint: disable=E0611 Please specify pylint disabled check by name 3) +def update_mod_nss_cipher_suite(http): in this upgrade, is there any possibility that ciphers might be upgraded again in future? (IMO yes). I think, it can be better to store revision of change instead of boolean LAST_REVISION = 1 if revision >= LAST_REVISION: return sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision', LAST_REVISION) Otherwise it works -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
On 01/21/2016 04:21 PM, Christian Heimes wrote: The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Thanks for the patch! I updated the ticket to make sure this change is release notes. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites
The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 From 26d356970ef1f7de7b00fe237f67345c507c7989 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 21 Jan 2016 16:09:10 +0100 Subject: [PATCH] Modernize mod_nss's cipher suites The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf has been modernized. Insecure or less secure algorithms such as RC4, DES and 3DES are removed. Perfect forward secrecy suites with ephemeral ECDH key exchange have been added. IE 8 on Windows XP is no longer supported. The list of enabled cipher suites has been generated with the script contrib/nssciphersuite/nssciphersuite.py. The supported suites are currently: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA https://fedorahosted.org/freeipa/ticket/5589 Signed-off-by: Christian Heimes --- contrib/nssciphersuite/README.txt| 38 contrib/nssciphersuite/nssciphersuite.py | 147 +++ ipaserver/install/httpinstance.py| 18 ipaserver/install/server/upgrade.py | 14 +++ 4 files changed, 217 insertions(+) create mode 100644 contrib/nssciphersuite/README.txt create mode 100755 contrib/nssciphersuite/nssciphersuite.py diff --git a/contrib/nssciphersuite/README.txt b/contrib/nssciphersuite/README.txt new file mode 100644 index ..89bafff560eb497089474e2d8a0b1b853d5c5bdf --- /dev/null +++ b/contrib/nssciphersuite/README.txt @@ -0,0 +1,38 @@ +Cipher suite for mod_nss + + +The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and +creates a list of secure cipher suites for TLS. The script filters out +insecure, obsolete and slow ciphers according to some rules. + +As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14 +cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The +cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH +key exchange. https://www.ssllabs.com/ gives a 'A' grade. + +Note: +No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8 +support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA. + +# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH +# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE +# enabled cipher suites: +# TLS_RSA_WITH_AES_128_CBC_SHA256 +# TLS_RSA_WITH_AES_256_CBC_SHA256 +# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# TLS_RSA_WITH_AES_128_GCM_SHA256 +# TLS_RSA_WITH_AES_128_CBC_SHA +# TLS_RSA_WITH_AES_256_GCM_SHA384 +# TLS_RSA_WITH_AES_256_CBC_SHA +# + +NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha + + diff --git a/contrib/nssciphersuite/nssciphersuite.py b/contrib/nssciphersuite/nssciphersuite.py new file mode 100755 index ..95252512a38d90bbcf12e5d362de8bf509c3e854