Re: [Freeipa-users] IPA vulnerability management SSL

gt; Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com> Date: 04/29/2016 01:49 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Thanks Rob... appreciate the help.. can you send me what you have in nss.conf, server.xml as well? If I start off playing with s

Re: [Freeipa-users] IPA vulnerability management SSL

On Fri, 29 Apr 2016 08:56:57 -0700 Sean wrote: SH> Hi Rob, SH> SH> I stopped IPA, modified dse.ldif, restarted with the cipher list and it SH> started without issue Just thought I'd point out the other recent thread, "freeipa update changed my cipher set", which mentions that dse.ldif can get

Re: [Freeipa-users] IPA vulnerability management SSL

edhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com> Date: 04/29/2016 01:36 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: &

Re: [Freeipa-users] IPA vulnerability management SSL

;rcrit...@redhat.com> > Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com> > Date: 04/29/2016 08:56 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > > > > Hi Rob,

Re: [Freeipa-users] IPA vulnerability management SSL

9/2016 08:56 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Hi Rob, I stopped IPA, modified dse.ldif, restarted with the cipher list and it started without issue however Same 13 ciphers. You know.. th

Re: [Freeipa-users] IPA vulnerability management SSL

edhat.com> Date: 04/29/2016 08:56 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Hi Rob, I stopped IPA, modified dse.ldif, restarted with the cipher list and it started without issue however Same 13 ciphers. You know.. thinking about this now.. I going to t

Re: [Freeipa-users] IPA vulnerability management SSL

freeipa-users@redhat.com Date: 04/29/2016 08:30 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: > Hi Noriko, > > Thanks for the suggestions, > > I had to trim out the GCM ciphers in order to get IPA to start back up > or I would get the

Re: [Freeipa-users] IPA vulnerability management SSL

riko Hosoi ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: From: Noriko Hosoi <nho...@redhat.com> To: Ludwig Krispenz <lkris...@redhat.com>, freeipa-users@redhat.com Date: 04/28/2016 12:08 PM Subject: R

Re: [Freeipa-users] IPA vulnerability management SSL

bject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by:freeipa-users-boun...@redhat.com Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > If I remember correctly we did the change in default ciphers and the option for

Re: [Freeipa-users] IPA vulnerability management SSL

Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. Ludwig is right. The

Re: [Freeipa-users] IPA vulnerability management SSL

i <nho...@redhat.com> Date: 04/28/2016 08:20 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher a

Re: [Freeipa-users] IPA vulnerability management SSL

t: Re: [Freeipa-users] IPA vulnerability management SSL Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til i

Re: [Freeipa-users] IPA vulnerability management SSL

Security & Risk Assurance Watson Cloud Technology and Support email: scho...@us.ibm.com | Tel 919 486 1397 From: Ludwig Krispenz <lkris...@redhat.com> To: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com> Date: 04/28/2016 04:46 AM Subject: Re: [Fr

Re: [Freeipa-users] IPA vulnerability management SSL

wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: On 04/28/2016 12:06 PM, Martin Kosek wrote: On 04/28/2016 01:23 AM, Sean Hogan wrote: Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/28/2016 12:06 PM, Martin Kosek wrote: On 04/28/2016 01:23 AM, Sean Hogan wrote: Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite >

Re: [Freeipa-users] IPA vulnerability management SSL

rs instead of SSL Sean Hogan From: Sean Hogan/Durham/IBM To: Martin Kosek <mko...@redhat.com> Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 09:59 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL I ran the following: nmap --s

Re: [Freeipa-users] IPA vulnerability management SSL

something wrong here? Sean Hogan From: Alexander Bokovoy <aboko...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 10:35 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On Wed,

Re: [Freeipa-users] IPA vulnerability management SSL

On Wed, 27 Apr 2016, Sean Hogan wrote: Hello Alexander I knew the below which is why I added my DS rpm version in the orig email which made sense to me but per 389 DS docs alloowweakcipher starts in 1.3.3.2 in case anyone else reads this. At least thats what the docs say but you may know

Re: [Freeipa-users] IPA vulnerability management SSL

reeipa-users] IPA vulnerability management SSL On Tue, 26 Apr 2016, Sean Hogan wrote: > > >Hello, > > We currently have 7 ipa servers in multi master running: > >ipa-server-3.0.0-47.el6_7.1.x86_64 >389-ds-base-1.2.11.15-68.el6_7.x86_64 > >Tenable is showin

Re: [Freeipa-users] IPA vulnerability management SSL

suites. So I do see RC4 and the exports so I guess I can - those in the dse.ldif From: Sean Hogan/Durham/IBM To: Martin Kosek <mko...@redhat.com> Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 09:33 AM Subject: Re: [Freeipa-users] IPA vulnerability ma

Re: [Freeipa-users] IPA vulnerability management SSL

ipa-users@redhat.com> Date: 04/27/2016 01:43 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 >

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. > I > have followed >

Re: [Freeipa-users] IPA vulnerability management SSL

On Tue, 26 Apr 2016, Sean Hogan wrote: Hello, We currently have 7 ipa servers in multi master running: ipa-server-3.0.0-47.el6_7.1.x86_64 389-ds-base-1.2.11.15-68.el6_7.x86_64 Tenable is showing the use of weak ciphers along with freak vulnerabilities. I have followed

[Freeipa-users] IPA vulnerability management SSL

Hello, We currently have 7 ipa servers in multi master running: ipa-server-3.0.0-47.el6_7.1.x86_64 389-ds-base-1.2.11.15-68.el6_7.x86_64 Tenable is showing the use of weak ciphers along with freak vulnerabilities. I have followed https://access.redhat.com/solutions/675183 however issues