Re: [Freeipa-users] freeipa managed sudoers on Solaris 10
We had to use OpenCSW packages. run this on cmd-line - pkgadd -d http://get.opencsw.org/now /opt/csw/bin/pkgutil -y -i CSWbdb4 CSWcommon CSWlibnet CSWosslutils CSWsasl CSWsudo-common CSWsudoldap cswpki gcc4core gcc4g++ gmake libssl_dev openldap_client openldap_dev optional one pkg at a time install - /opt/csw/bin/pkgutil -y -i CSWbdb4 /opt/csw/bin/pkgutil -y -i CSWcommon /opt/csw/bin/pkgutil -y -i CSWlibnet /opt/csw/bin/pkgutil -y -i CSWosslutils /opt/csw/bin/pkgutil -y -i CSWsasl /opt/csw/bin/pkgutil -y -i CSWsudo-common /opt/csw/bin/pkgutil -y -i CSWsudoldap /opt/csw/bin/pkgutil -y -i cswpki Ajeet Murty Deloitte Touche LLP Tel: +1 571 882 5614 | Mobile: +1 704 421 8756 amu...@deloitte.commailto:amu...@deloitte.com | www.deloitte.com This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, January 19, 2015 2:02 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa managed sudoers on Solaris 10 On 01/19/2015 01:50 PM, sipazzo wrote: I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. AFAIR Solaris does not carry sudo packages so if you plan to use sudo you would need to get packages from upstream. Other than that it is not different from using SUDO from a Linux client that does not have SSSD. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
Thanks for all the info. I think I will wait for the 4.1 update. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, October 14, 2014 9:43 AM To: quest monger; d...@redhat.com Cc: FreeIPA Subject: Re: [Freeipa-users] Replace Self-Signed Cert quest monger wrote: makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. IPA 3.x includes a command, ipa-server-certinstall, which will do what you need. This can be a bumpy process with clients and such which is why Dmitri suggested using 4.1, but it should still basically work. It depends greatly on whether the CA issuing the certs is already known by clients (for example being a default CA shipped by NSS and openssl). But I'd step cautiously and ask a lot of questions before you proceed. The IPA certificates are not self-signed. They are issued by a CA controlled by IPA. I think your admin's concerns are related to users getting an unknown CA/cert error. It can be confusing and can train users to accept any SSL certificate they see which is bad. There are some downsides to not using the IPA CA: - no automatic renewal of certificates. This means you need to manually monitor your infrastructure and renew the certificates before they expire. Otherwise your identity infrastructure could go down. - for every replica you set up you will need to get a web and ldap certificate in advance rob On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Understood. Thank you for clarifying all that. I believe my best options at this point are to rebuild my environment on CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x. I will hold out for a few more weeks to see if someone at RedHat can provide a fix/patch for the older version. Fingers crossed. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, October 08, 2014 2:01 AM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote: Any ideas on what else I can try here? Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? In general, FreeIPA team doesn't do backports to older versions due to tight cooperation with other components when introducing new features. We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least, but also in Samba and other components, including Linux kernel. Backporting all the changes to older releases of certain distributions is left to distribution maintainers. For Fedora we do have some freedom on what can be done and try to maintain availability of FreeIPA releases on two current versions but sometimes it is impossible due to update polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are cleaning up Fedora 21 for 4.1 support. In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot speak for the company) makes decisions what to support and these decisions are also based on certain stability promises for ABI, see https://access.redhat.com/solutions/5154 for details. Some of components FreeIPA depends on change their ABI and therefore the changes can only be introduced in newer major releases. When these changes occurred, we coordinated with Red Hat engineering teams to make sure most important changes were folded into RHEL 7.0 release to provide a base for FreeIPA integration. For CentOS, as it tracks corresponding Red Hat Enterprise Linux releases, situation is similar. For packages that are not in RHEL/CentOS releases there are means to provide them through a side channels, like EPEL, but EPEL's policy prevents from packaging something that is available through the main channels for the release. We use COPR repositories to make possible to install newer FreeIPA versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no official support from Red Hat or CentOS project. They are FreeIPA upstream effort to make our releases more easily testable. For any issues found through COPR repositories you are welcome to file tickets to FreeIPA issue tracker at https://fedorahosted.org/freeipa/. Thanks again for all your help. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - Arlington) Sent: Tuesday, October 07, 2014 1:21 PM To: Alexander Bokovoy Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha numSubordinates: 1 I am still seeing the null ciphers in my scan results. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 1:08 PM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha Then, when I try to start up IPA, I get this error message - [root]# /etc/init.d/ipa start Starting Directory Service Starting dirsrv: EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn The lines above suggest that you actually separated nsSSL3Ciphers line from the entry itself. At least in my case it looks like this: dn: cn=encryption,cn=config objectClass
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
That worked! I should have read the DS-389 documentation more carefully. I had to set nsSSL3Ciphers to the following - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: +all,-rsa_null_sha numSubordinates: 1 Ran the scan again, and no Null Ciphers detected. Cipher configuration documentation for DS-389 - http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html Thanks! -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Wednesday, October 08, 2014 11:49 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports Hi, I did a test with 1.2.11.15-33 first test: nsSSL3Ciphers: +all running nmap gave: 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0: | ciphers: | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong | SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_NULL_SHA - broken | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: broken next test: nsSSL3Ciphers: +all,-rsa_null_sha nmap result: 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0: | ciphers: | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong | SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: weak maybe you can try adding -rsa_null_sha to your nSSL3cipher config. On 10/08/2014 09:10 AM, Murty, Ajeet (US - Arlington) wrote: Understood. Thank you for clarifying all that. I believe my best options at this point are to rebuild my environment on CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x. I will hold out for a few more weeks to see if someone at RedHat can provide a fix/patch for the older version. Fingers crossed. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, October 08, 2014 2:01 AM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote: Any ideas on what else I can try here? Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? In general, FreeIPA team doesn't do backports to older versions due to tight cooperation with other components when introducing new features. We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least, but also in Samba and other components, including Linux kernel. Backporting all the changes to older releases of certain distributions is left to distribution maintainers. For Fedora we do have some freedom on what can be done and try to maintain availability of FreeIPA releases on two current versions but sometimes it is impossible due to update polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are cleaning up Fedora 21 for 4.1 support. In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot speak for the company) makes decisions what to support and these decisions are also based on certain stability promises for ABI, see https://access.redhat.com/solutions/5154 for details. Some of components FreeIPA depends on change their ABI and therefore the changes can only be introduced in newer major releases. When these changes occurred, we coordinated with Red Hat engineering teams to make sure most important changes were folded into RHEL 7.0 release to provide a base for FreeIPA integration. For CentOS, as it tracks corresponding Red Hat Enterprise Linux releases, situation is similar. For packages that are not in RHEL/CentOS releases there are means to provide them through a side channels, like EPEL, but EPEL's policy prevents from packaging something that is available through the main channels for the release. We use COPR repositories to make possible to install newer FreeIPA versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Hi Martin and Nathan, Thank you for providing that info. Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '. Nessus scan had detected this null cipher - TLSv1 NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 I found 2 'dse.ldif' files on disk - /etc/dirsrv/slapd-PKI-IPA/dse.ldif /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif In each of them, I found this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha So to disable null cipher, I removed 'rsa_null_md5' from that list - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher. Any ideas on how to resolve this? Thanks. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, September 23, 2014 11:15 AM To: Nathan Kinder; freeipa-users@redhat.com; Murty, Ajeet (US - Arlington) Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On 09/22/2014 10:07 PM, Nathan Kinder wrote: On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote: Security scan of FreeIPA server ports uncovered weak, medium and null ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'. How can I disable/remove these ciphers in my existing setup? This has recently been worked on in this 389-ds-base ticket: https://fedorahosted.org/389/ticket/47838 As mentioned in the initial description of that ticket, you can configure the allowed ciphers in the cn=config entry in 389-ds-base. You can edit this over LDAP, or by stopping 389-ds-base and editing /etc/dirsrv/slapd-REALM/dse.ldif. Thanks, -NGK You can also check the FreeIPA counterpart: https://fedorahosted.org/freeipa/ticket/4395 This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+), we would very much welcome if you can verify that this setup works for you! Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Sorry, messed up copy paste, here is the edited section - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 I double checked this time. No Null ciphers in dse.ldif files. Still seeing the Null Cipher in scans. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 6:13 AM To: Murty, Ajeet (US - Arlington) Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I edited both ldif files to remove fortezza_null. Looks like this now - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs Here I can still see +fortezza_null. a_export1024_with_des_cbc_sha Ran the scan again, still seeing Null Cipher - TLSv1 NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 5:46 AM To: Murty, Ajeet (US - Arlington) Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: Hi Martin and Nathan, Thank you for providing that info. Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '. Nessus scan had detected this null cipher - TLSv1 NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 I found 2 'dse.ldif' files on disk - /etc/dirsrv/slapd-PKI-IPA/dse.ldif /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif In each of them, I found this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha So to disable null cipher, I removed 'rsa_null_md5' from that list - nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher. Any ideas on how to resolve this? I can see also fortezza_null in the above list, maybe you are getting into that one? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, September 23, 2014 11:15 AM To: Nathan Kinder; freeipa-users@redhat.com; Murty, Ajeet (US - Arlington) Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On 09/22/2014 10:07 PM, Nathan Kinder wrote: On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote: Security scan of FreeIPA server ports uncovered weak, medium and null ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'. How can I disable/remove these ciphers in my existing setup? This has recently been worked on in this 389-ds-base ticket: https://fedorahosted.org/389/ticket/47838 As mentioned in the initial description of that ticket, you can configure the allowed ciphers in the cn=config entry in 389-ds-base. You can edit this over LDAP, or by stopping 389-ds-base and editing /etc/dirsrv/slapd-REALM/dse.ldif. Thanks, -NGK You can also check the FreeIPA counterpart: https://fedorahosted.org/freeipa/ticket/4395 This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+), we would very much welcome if you can verify that this setup works for you! Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha numSubordinates: 1 I am still seeing the null ciphers in my scan results. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 1:08 PM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha Then, when I try to start up IPA, I get this error message - [root]# /etc/init.d/ipa start Starting Directory Service Starting dirsrv: EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn The lines above suggest that you actually separated nsSSL3Ciphers line from the entry itself. At least in my case it looks like this: dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20141001151245Z modifyTimestamp: 20141001151430Z nsSSL3Ciphers: +all allowWeakCipher: off numSubordinates: 1 note that it is part of cn=encryption,cn=config entry. You cannot separate attributes within the entry with empty lines because empty line finishes current entry and starts another one. [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with ...] [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1] [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif] [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [FAILED] PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with ...] [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Any ideas on what else I can try here? Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? Thanks again for all your help. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - Arlington) Sent: Tuesday, October 07, 2014 1:21 PM To: Alexander Bokovoy Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha numSubordinates: 1 I am still seeing the null ciphers in my scan results. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 1:08 PM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha Then, when I try to start up IPA, I get this error message - [root]# /etc/init.d/ipa start Starting Directory Service Starting dirsrv: EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn The lines above suggest that you actually separated nsSSL3Ciphers line from the entry itself. At least in my case it looks like this: dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20141001151245Z modifyTimestamp: 20141001151430Z nsSSL3Ciphers: +all allowWeakCipher: off numSubordinates: 1 note that it is part of cn=encryption,cn=config entry. You cannot separate attributes within the entry with empty lines because empty line finishes current entry and starts another one. [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with ...] [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1] [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif] [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [FAILED] PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file
Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Done. 'Bug 1150368 -Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif ' https://bugzilla.redhat.com/show_bug.cgi?id=1150368 Thanks. -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, October 08, 2014 12:37 AM To: Murty, Ajeet (US - Arlington); Alexander Bokovoy; Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On 10/07/2014 10:15 PM, Murty, Ajeet (US - Arlington) wrote: Any ideas on what else I can try here? Please file a ticket. Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months? Thanks again for all your help. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - Arlington) Sent: Tuesday, October 07, 2014 1:21 PM To: Alexander Bokovoy Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha numSubordinates: 1 I am still seeing the null ciphers in my scan results. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 1:08 PM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: I shutdown IPA and modified both dse ldif files to look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha Then, when I try to start up IPA, I get this error message - [root]# /etc/init.d/ipa start Starting Directory Service Starting dirsrv: EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn The lines above suggest that you actually separated nsSSL3Ciphers line from the entry itself. At least in my case it looks like this: dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20141001151245Z modifyTimestamp: 20141001151430Z nsSSL3Ciphers: +all allowWeakCipher: off numSubordinates: 1 note that it is part of cn=encryption,cn=config entry. You cannot separate attributes within the entry with empty lines because empty line finishes current entry and starts another one. [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with ...] [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1] [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif] [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [FAILED] PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn [07/Oct/2014:12
[Freeipa-users] weak and null ciphers detected on ldap ports
Security scan of FreeIPA server ports uncovered weak, medium and null ciphers on port 389 and 636. We are running ‘ipa-server-3.0.0-37.el6.i686’. How can I disable/remove these ciphers in my existing setup? Ciphers Discovered - TLSv1 EXP-RC2-CBC-MD5 Kx=RSA(512)Au=RSA Enc=RC2-CBC(40) Mac=MD5export EXP-RC4-MD5 Kx=RSA(512)Au=RSA Enc=RC4(40) Mac=MD5export TLSv1 EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 Thanks, Amb. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
