Re: [Freeipa-users] IPA Web Portal using outdated ciphers, breaking with some clients

2016-01-29 Thread Rob Crittenden 
Jeff Hallyburton wrote:
> Hi,
> 
> We're also seeing that the free-ipa web-portal is using TLS 1.2 by
> default, which is being flagged as insecure / obsolete.  This also seems
> to be causing some clients (some instances of Chrome) to fail logins:
> 
> [Fri Jan 29 18:34:26.638350 2016] [:error] [pid 6603] SSL Library Error:
> -12286 No common encryption algorithm(s) with client
> 
> 
> What do we need to do to update this to TLS 1.3?

TLS 1.2 insecure/obsolete? Flagged by what? Need more info on what the
handshake looks like and what the server configuration is.

AFAIK 1.3 is still in draft form.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Web Portal using outdated ciphers, breaking with some clients

2016-01-29 Thread Jeff Hallyburton 
Rob,

Chrome is flagging this, and given the error (I've attached a copy) its
probably due to the cipher suite (possibly specifically that it uses
SHA1).  This article has more details and is consistent with what we're
seeing:

http://security.stackexchange.com/questions/83831/google-chrome-your-connection-to-website-is-encrypted-with-obsolete-cryptograph

We've also seen similar issues come up with other applications during
penetration scans (e.g., Qualys) which is why I've noted it here.

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: supp...@bloomip.com
Billing Support: bill...@bloomip.com
Customer Support Portal:  https://my.bloomip.com 

On Fri, Jan 29, 2016 at 2:36 PM, Rob Crittenden  wrote:

> Jeff Hallyburton wrote:
> > Hi,
> >
> > We're also seeing that the free-ipa web-portal is using TLS 1.2 by
> > default, which is being flagged as insecure / obsolete.  This also seems
> > to be causing some clients (some instances of Chrome) to fail logins:
> >
> > [Fri Jan 29 18:34:26.638350 2016] [:error] [pid 6603] SSL Library Error:
> > -12286 No common encryption algorithm(s) with client
> >
> >
> > What do we need to do to update this to TLS 1.3?
>
> TLS 1.2 insecure/obsolete? Flagged by what? Need more info on what the
> handshake looks like and what the server configuration is.
>
> AFAIK 1.3 is still in draft form.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project