Re: [Freeipa-users] IPA vulnerability management SSL

2016-05-17 Thread Sean Hogan

Hello,

This is an older thread now but our mitigation guys found a solution in
fixing this that I think you all may want as the output has now changed
from the 13 ciphers that would not change to the below.  Its a rather easy
fix as well and possible I missed it with assumptions.

You need to modify both the realm name dse and the pki dse ldifs.  I was
only modifying the realm dse.


/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-RELAM-NAME/dse.ldif




[bob@dingle ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-17 10:59 EDT
Nmap scan report for dingle@bob.local (IP of dingle)
Host is up (0.00015s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (7)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_  uncompressed





Sean Hogan





From:   Sean Hogan/Durham/IBM
To: Rob Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/29/2016 01:49 PM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL


Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well?  If I start off playing with something you
see working without issue then maybe I can come up with something or am I
wrong thinking those might affect anything?

IE .. can you send me the entire cn=encryption, cn=config section like this
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1


Sean Hogan








From:   Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/29/2016 01:36 PM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Apparently making it the master ca will not work at this point since the
> replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers
available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

>
>
> Sean Hogan
>
>
>
>
>
> Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
> I stopped IPA, modified dse.ldif, restarted with the Sean
> Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
> dse.ldif, restarted with the cipher list and it started without is
>
> From: Sean Hogan/Durham/IBM
> To: Rob Crittenden <rcrit...@redhat.com>
> Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
> Date: 04/29/2016 08:56 AM
> Subject: Re: [Freeipa-users] IPA vulnerability management SSL
>
> 
>
>
> Hi Rob,
>
> I stopped IPA, modified dse.ldif, restarted with the cipher list and it
> started without issue however Same 13 ciphers. You know.. thinking about
> this now.. I going to try something. The box I am testing on it a
> replica master and not the first replica. I did not think this would
> make a difference since I removed the replica from the realm before
> testing but maybe it will not change anything thinking its stuck in the
> old realm?
>
> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
> 11:51 EDT
> Nmap scan report for
> Host is up (0.82s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> | TLS_RSA_WITH_AES_256_CBC_SHA256
> | TLS_RSA_WITH_DES_CBC_SHA
> | TLS_RSA_WITH_RC4_128_MD5
> | TLS_RSA_WITH_RC4

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-30 Thread Robert Story
On Fri, 29 Apr 2016 08:56:57 -0700 Sean wrote:
SH> Hi Rob,
SH> 
SH>   I stopped IPA, modified dse.ldif, restarted with the cipher list and it
SH> started without issue


Just thought I'd point out the other recent thread, "freeipa update changed
my cipher set", which mentions that dse.ldif can get reset on upgrades,
along with a way to make persistent overrides.



Robert

-- 
Senior Software Engineer @ Parsons


pgpLWRPcD_Jhb.pgp
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden

Sean Hogan wrote:

Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well? If I start off playing with something you
see working without issue then maybe I can come up with something or am
I wrong thinking those might affect anything?


The only config that matters in this case is in dse.ldif because you are 
only testing port 636 and this is what drives it.


My config is:

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150102143402Z
modifyTimestamp: 20150102143427Z
nsSSL3Ciphers: 
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5


,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

What did was:

# service dirsrv stop EXAMPLE-COM
# vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
# service dirsrv start EXAMPLE-COM
# nmap ...

rob







Inactive hide details for Rob Crittenden ---04/29/2016 01:36:02
PM---Sean Hogan wrote: > Apparently making it the master ca wilRob
Crittenden ---04/29/2016 01:36:02 PM---Sean Hogan wrote: > Apparently
making it the master ca will not work at this point since the

From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date: 04/29/2016 01:36 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL





Sean Hogan wrote:
 > Apparently making it the master ca will not work at this point since the
 > replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

 >
 >
 > Sean Hogan
 >
 >
 >
 >
 >
 > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
 > I stopped IPA, modified dse.ldif, restarted with the Sean
 > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
 > dse.ldif, restarted with the cipher list and it started without is
 >
 > From: Sean Hogan/Durham/IBM
 > To: Rob Crittenden <rcrit...@redhat.com>
 > Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
 > Date: 04/29/2016 08:56 AM
 > Subject: Re: [Freeipa-users] IPA vulnerability management SSL
 >
 > 
 >
 >
 > Hi Rob,
 >
 > I stopped IPA, modified dse.ldif, restarted with the cipher list and it
 > started without issue however Same 13 ciphers. You know.. thinking about
 > this now.. I going to try something. The box I am testing on it a
 > replica master and not the first replica. I did not think this would
 > make a difference since I removed the replica from the realm before
 > testing but maybe it will not change anything thinking its stuck in the
 > old realm?
 >
 > Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
 > 11:51 EDT
 > Nmap scan report for
 > Host is up (0.82s latency).
 > PORT STATE SERVICE
 > 636/tcp open ldapssl
 > | ssl-enum-ciphers:
 > | TLSv1.2
 > | Ciphers (13)
 > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
 > | SSL_RSA_FIPS_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 > | TLS_RSA_WITH_3DES_EDE_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA
 > | TLS_RSA_WITH_AES_128_CBC_SHA256
 > | TLS_RSA_WITH_AES_128_GCM_SHA256
 > | TLS_RSA_WITH_AES_256_CBC_SHA
 > | TLS_RSA_WITH_AES_256_CBC_SHA256
 > | TLS_RSA_WITH_DES_CBC_SHA
 > | TLS_RSA_WITH_RC4_128_MD5
 > | TLS_RSA_WITH_RC4_128_SHA
 > | Compressors (1)
 >
 > dn: cn=encryption,cn=config
 > objectClass: top
 > objectClass: nsEncryptionConfig
 > cn: encryption
 > nsSSLSessionTimeout: 0
 > nsSSLClientAuth: allowed
 > nsSSL2: off
 > nsSSL3: off
 > creatorsName: cn=server,cn=plugins,cn=config
 > modifiersName: cn=directory manager
 > createTimestamp: 20150420131850Z
 > modifyTimestamp: 20150420131906Z
 > nsSSL3Ciphers:
 > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
 >
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
 >
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
 > numSubordinates: 1
 >
 >
 &g

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan

Thanks Rob... appreciate the help.. can you send me what you have in
nss.conf, server.xml as well?  If I start off playing with something you
see working without issue then maybe I can come up with something or am I
wrong thinking those might affect anything?

IE .. can you send me the entire cn=encryption, cn=config section like this
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1


Sean Hogan







From:   Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/29/2016 01:36 PM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Apparently making it the master ca will not work at this point since the
> replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers
available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

>
>
> Sean Hogan
>
>
>
>
>
> Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
> I stopped IPA, modified dse.ldif, restarted with the Sean
> Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
> dse.ldif, restarted with the cipher list and it started without is
>
> From: Sean Hogan/Durham/IBM
> To: Rob Crittenden <rcrit...@redhat.com>
> Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
> Date: 04/29/2016 08:56 AM
> Subject: Re: [Freeipa-users] IPA vulnerability management SSL
>
> 
>
>
> Hi Rob,
>
> I stopped IPA, modified dse.ldif, restarted with the cipher list and it
> started without issue however Same 13 ciphers. You know.. thinking about
> this now.. I going to try something. The box I am testing on it a
> replica master and not the first replica. I did not think this would
> make a difference since I removed the replica from the realm before
> testing but maybe it will not change anything thinking its stuck in the
> old realm?
>
> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
> 11:51 EDT
> Nmap scan report for
> Host is up (0.82s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> | TLS_RSA_WITH_AES_256_CBC_SHA256
> | TLS_RSA_WITH_DES_CBC_SHA
> | TLS_RSA_WITH_RC4_128_MD5
> | TLS_RSA_WITH_RC4_128_SHA
> | Compressors (1)
>
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=directory manager
> createTimestamp: 20150420131850Z
> modifyTimestamp: 20150420131906Z
> nsSSL3Ciphers:
> -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
> ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

>
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r

> c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
> numSubordinates: 1
>
>
>
>
>
> Sean Hogan
> Security Engineer
> Watson Security & Risk Assurance
> Watson Cloud Technology and Support
> email: scho...@us.ibm.com | Tel 919 486 1397
>
>
>
>
>
>
>
> Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
> AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
> AM---Sean Hogan wrote: > Hi Noriko,
>
> From: Rob Crittenden <rcrit...@redhat.com>
> To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
> Cc: freeipa-users@redhat.com
> Date: 04/29/2016 08:30 AM
> 

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden

Sean Hogan wrote:

Apparently making it the master ca will not work at this point since the
replica is removed. So still stuck with non-changing ciphers.


Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop 
dirsrv, modify dse.ldif with the list I provided, restart it and confirm 
that the cipher list was better.


Entries in cn=config are not replicated.

rob




Sean Hogan





Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
I stopped IPA, modified dse.ldif, restarted with the Sean
Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
dse.ldif, restarted with the cipher list and it started without is

From: Sean Hogan/Durham/IBM
To: Rob Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date: 04/29/2016 08:56 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL




Hi Rob,

I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers. You know.. thinking about
this now.. I going to try something. The box I am testing on it a
replica master and not the first replica. I did not think this would
make a difference since I removed the replica from the realm before
testing but maybe it will not change anything thinking its stuck in the
old realm?

Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397







Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,

From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
Cc: freeipa-users@redhat.com
Date: 04/29/2016 08:30 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL




Sean Hogan wrote:
 > Hi Noriko,
 >
 > Thanks for the suggestions,
 >
 > I had to trim out the GCM ciphers in order to get IPA to start back up
 > or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha

I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accep

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan

Apparently making it the master ca will not work at this point since the
replica is removed.  So still stuck with non-changing ciphers.


Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Rob Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/29/2016 08:56 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL


Hi Rob,

  I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers.  You know.. thinking about
this now.. I going to try something.  The box I am testing on it a replica
master and not the first replica.  I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
Cc: freeipa-users@redhat.com
Date:   04/29/2016 08:30 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Hi Noriko,
>
> Thanks for the suggestions,
>
> I had to trim out the GCM ciphers in order to get IPA to start back up
> or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha


I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accepted  TLSv1  256 bits  AES256-SHA
 Accepted  TLSv1  128 bits  AES128-SHA
 Accepted  TLSv1  112 bits  DES-CBC3-SHA
 Accepted  TLS11  256 bits  AES256-SHA
 Accepted  TLS11  128 bits  AES128-SHA
 Accepted  TLS11  112 bits  DES-CBC3-SHA
 Accepted  TLS12  256 bits  AES256-SHA256
 Accepted  TLS12  256 bits  AES256-SHA
 Accepted  TLS12  128 bits  AES128-GCM-SHA256
 Accepted  TLS12  128 bits  AES128-SHA256
 Accepted  TLS12  128 bits  AES128-SHA
 Accepted  TLS12  112 bits  DES-CBC3-SHA

rob

>
> Nmap is still showing the same 13 ciphers as before though like nothing
> had changed and I did ipactl stop, made modification, ipactl start
>
> tarting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-28
> 18:44 EDT
> Nmap scan re

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan

Hi Rob,

  I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers.  You know.. thinking about
this now.. I going to try something.  The box I am testing on it a replica
master and not the first replica.  I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.82s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
 c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1





Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
Cc: freeipa-users@redhat.com
Date:   04/29/2016 08:30 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



Sean Hogan wrote:
> Hi Noriko,
>
> Thanks for the suggestions,
>
> I had to trim out the GCM ciphers in order to get IPA to start back up
> or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha


I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
|   NULL
| cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
 Accepted  TLSv1  256 bits  AES256-SHA
 Accepted  TLSv1  128 bits  AES128-SHA
 Accepted  TLSv1  112 bits  DES-CBC3-SHA
 Accepted  TLS11  256 bits  AES256-SHA
 Accepted  TLS11  128 bits  AES128-SHA
 Accepted  TLS11  112 bits  DES-CBC3-SHA
 Accepted  TLS12  256 bits  AES256-SHA256
 Accepted  TLS12  256 bits  AES256-SHA
 Accepted  TLS12  128 bits  AES128-GCM-SHA256
 Accepted  TLS12  128 bits  AES128-SHA256
 Accepted  TLS12  128 bits  AES128-SHA
 Accepted  TLS12  112 bits  DES-CBC3-SHA

rob

>
> Nmap is still showing the same 13 ciphers as before though like nothing
> had changed and I did ipactl stop, made modification, ipactl start
>
> tarting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-28
> 18:44 EDT
> Nmap scan report for
> Host is up (0.53s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | 

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden
riko Hosoi ---04/28/2016 12:08:59 PM---Thank
you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi
---04/28/2016 12:08:59 PM---Thank you for including me in the loop,
Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:

From: Noriko Hosoi <nho...@redhat.com>
To: Ludwig Krispenz <lkris...@redhat.com>, freeipa-users@redhat.com
Date: 04/28/2016 12:08 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
Sent by: freeipa-users-boun...@redhat.com





Thank you for including me in the loop, Ludwig.

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
 > If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.

Ludwig is right.  The way how to set nsSSL3Ciphers has been changed
since 1.3.3 which is available on RHEL-7.

This is one of the newly supported values of nsSSL3Ciphers:

Notes: if the value contains +all, then *-*is removed
from the list._

__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-allnss-3162-1_

On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if
"+all" is found in the value, all the available ciphers are enabled.

To workaround it, could you try explicitely setting ciphers as follows?
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
  
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
  
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

Thanks,
--noriko

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:

wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:

On 04/28/2016 12:06 PM, Martin Kosek wrote:
On 04/28/2016 01:23 AM, Sean Hogan wrote:
Hi Martin,

No joy on placing - in front of the RC4s


I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by
default.
NSSCipherSuite

+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha


# SSL Protocol:
# Cryptographic protocols that provide
communication security.
# NSS handles the specified protocols as
"ranges", and automatically
# negotiates the use of the strongest
protocol for a connection starting
# with the maximum specified protocol
and downgrading as necessary to the
# minimum specified protocol that can be
used between two processes.
# Since all protocol ranges are
completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName:
cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:

+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I
thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but
still showing. Is it the fact that I

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Sean Hogan

Hi Noriko,

  Thanks for the suggestions,

  I had to trim out the GCM ciphers in order to get IPA to start back up or
I would get the unknown cipher message

Nmap is still showing the same 13 ciphers as before though like nothing had
changed and I did ipactl stop, made modification, ipactl start

tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 18:44 EDT
Nmap scan report for
Host is up (0.53s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Current Config:

dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_

rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha

,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
 aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1


nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


Does nss.conf have anything to do with the dir srv ciphers?  I know the 389
docs says they are tied together so the way I have been looking at it is
nss.conf lists the allowed ciphers where dse.ldif lists which ones to use
for 389 from nss.conf.  Is that correct?  Is there any other place where
ciphers would be ignored?

nss-3.19.1-8.el6_7.x86_64
sssd-ipa-1.12.4-47.el6_7.4.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-47.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64


I need to get rid of any rc4s

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Noriko Hosoi <nho...@redhat.com>
To: Ludwig Krispenz <lkris...@redhat.com>, freeipa-users@redhat.com
Date:   04/28/2016 12:08 PM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL
Sent by:freeipa-users-boun...@redhat.com



Thank you for including me in the loop, Ludwig.

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
> If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding
Noriko to get confirmation.

Ludwig is right.  The way how to set nsSSL3Ciphers has been changed since
1.3.3 which is available on RHEL-7.

This is one of the newly supported values of nsSSL3Ciphers:
  Notes: if the value contains +all, then - is removed from the
  list.
  
http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-allnss-3162-1
On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if
"+all" is found in the value, all the available ciphers are enabled.

To workaround it, could you try explicitely setting ciphers as follows?
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,


+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,


+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha


Thanks,
--noriko

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
  wanted to add Noriko, but hit send to quickly

  On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:

On 04/28/2016 12:06 PM, Martin Kosek wrote:
  On 04/28/2016 01:23 AM, Sean Hogan wrote:
Hi Martin,

No joy o

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Noriko Hosoi

Thank you for including me in the loop, Ludwig.

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
> If I remember correctly we did the change in default ciphers and the 
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, 
adding Noriko to get confirmation.


Ludwig is right.  The way how to set nsSSL3Ciphers has been changed 
since 1.3.3 which is available on RHEL-7.


This is one of the newly supported values of nsSSL3Ciphers:

   Notes: if the value contains +all, then *-* is removed from
   the list.
   
http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-allnss-3162-1

On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if 
"+all" is found in the value, all the available ciphers are enabled.


To workaround it, could you try explicitely setting ciphers as follows?
nsSSL3Ciphers: 
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,

 
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
 
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

Thanks,
--noriko

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:

wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:


On 04/28/2016 12:06 PM, Martin Kosek wrote:

On 04/28/2016 01:23 AM, Sean Hogan wrote:

Hi Martin,

No joy on placing - in front of the RC4s


I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha 



# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection 
starting
# with the maximum specified protocol and downgrading as necessary 
to the

# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no 
protocol in the

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers: 
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the 
fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really 
understanding
where it is coming from cept the +all from DS but the - should be 
negating that?


Starting Nmap 5.51 ( http://nmap.org  ) at 
2016-04-27 17:37 EDT

Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.86s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif 
nothing changes
with my nmap results. Is there supposed to be a be a section to add 
TLS ciphers

instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.
If I remember correctly we did the change in default ciphers and the 
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, 
adding Noriko to get confirmation.


but the below comments about changing ciphers in dse.ldif could help 
in using the "old" way to set ciphers

Just to be sure, when you are modifying dse.ldif, the procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten later.

In any case, the ciphers with RHEL-6 should be secure enough, the 
ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap 
taken on

FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Sean Hogan

Hey guys..  yes I so want to upgrade to 4.x however not in my control right
now and can not really discuss.  I see us stuck at 3.x for a while.



Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Ludwig Krispenz <lkris...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/28/2016 08:20 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL


Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start.  Go back into
dse.ldif and modify til it comes back up.




Sean Hogan








From:   Ludwig Krispenz <lkris...@redhat.com>
To: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/28/2016 04:46 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL
Sent by:freeipa-users-boun...@redhat.com



wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
>
> On 04/28/2016 12:06 PM, Martin Kosek wrote:
>> On 04/28/2016 01:23 AM, Sean Hogan wrote:
>>> Hi Martin,
>>>
>>> No joy on placing - in front of the RC4s
>>>
>>>
>>> I modified my nss.conf to now read
>>> # SSL 3 ciphers. SSL 2 is disabled by default.
>>> NSSCipherSuite
>>>
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

>>>
>>>
>>> # SSL Protocol:
>>> # Cryptographic protocols that provide communication security.
>>> # NSS handles the specified protocols as "ranges", and automatically
>>> # negotiates the use of the strongest protocol for a connection
>>> starting
>>> # with the maximum specified protocol and downgrading as necessary
>>> to the
>>> # minimum specified protocol that can be used between two processes.
>>> # Since all protocol ranges are completely inclusive, and no
>>> protocol in the
>>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>>
>>> dse.ldif
>>>
>>> dn: cn=encryption,cn=config
>>> objectClass: top
>>> objectClass: nsEncryptionConfig
>>> cn: encryption
>>> nsSSLSessionTimeout: 0
>>> nsSSLClientAuth: allowed
>>> nsSSL2: off
>>> nsSSL3: off
>>> creatorsName: cn=server,cn=plugins,cn=config
>>> modifiersName: cn=directory manager
>>> createTimestamp: 20150420131850Z
>>> modifyTimestamp: 20150420131906Z
>>> nsSSL3Ciphers:
>>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
>>> _56_sha,-tls_dhe_dss_1024_rc4_sha
>>> numSubordinates: 1
>>>
>>>
>>>
>>> But I still get this with nmap.. I thought the above would remove
>>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the
>>> fact that I am not
>>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really
>>> understanding
>>> where it is coming from cept the +all from DS but the - should be
>>> negating that?
>>>
>>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
>>> 2016-04-27 17:37 EDT
>>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
>>> Host is up (0.86s latency).
>>> PORT STATE SERVICE
>>> 636/tcp open ldapssl
>>> | ssl-enum-ciphers:
>>> | TLSv1.2
>>> | Ciphers (13)
>>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA256
>>> | TLS_RSA_WITH_AES_128_GCM_SHA256
>>> | TLS_RSA_WITH_AES_256_CBC_SHA
>>> | TLS_RSA_WITH_AES_256_CBC_SHA256
>>> | TLS_RSA_WITH_DES_CBC_SHA
>>> | TLS_RSA_WITH_RC4_128_MD5
>>> | TLS_RSA_WITH_RC4_128_SHA
>>> | Compressors (1)
>>> |_ uncompressed
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
>>>
>>>
>>>
>>> It seems no matter what config I put into nss.conf or dse.ldif
>>> nothing changes
>>> with my nmap results. Is there supposed to be a be a section to add
>>> TLS ciphers
>>> instead of SSL
>> Not sure now, CCing Ludwig who was involved in the original RHEL-6
>> imple

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Sean Hogan



Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.


And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

This is whay I was trying to remove  -tls_rsa_export1024_with_rc4_56_sha


Sean Hogan






From:   Sean Hogan/Durham/IBM
To: Ludwig Krispenz <lkris...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/28/2016 08:20 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL


Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start.  Go back into
dse.ldif and modify til it comes back up.




Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Ludwig Krispenz <lkris...@redhat.com>
To: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/28/2016 04:46 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL
Sent by:freeipa-users-boun...@redhat.com



wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
>
> On 04/28/2016 12:06 PM, Martin Kosek wrote:
>> On 04/28/2016 01:23 AM, Sean Hogan wrote:
>>> Hi Martin,
>>>
>>> No joy on placing - in front of the RC4s
>>>
>>>
>>> I modified my nss.conf to now read
>>> # SSL 3 ciphers. SSL 2 is disabled by default.
>>> NSSCipherSuite
>>>
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

>>>
>>>
>>> # SSL Protocol:
>>> # Cryptographic protocols that provide communication security.
>>> # NSS handles the specified protocols as "ranges", and automatically
>>> # negotiates the use of the strongest protocol for a connection
>>> starting
>>> # with the maximum specified protocol and downgrading as necessary
>>> to the
>>> # minimum specified protocol that can be used between two processes.
>>> # Since all protocol ranges are completely inclusive, and no
>>> protocol in the
>>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>>
>>> dse.ldif
>>>
>>> dn: cn=encryption,cn=config
>>> objectClass: top
>>> objectClass: nsEncryptionConfig
>>> cn: encryption
>>> nsSSLSessionTimeout: 0
>>> nsSSLClientAuth: allowed
>>> nsSSL2: off
>>> nsSSL3: off
>>> creatorsName: cn=server,cn=plugins,cn=config
>>> modifiersName: cn=directory manager
>>> createTimestamp: 20150420131850Z
>>> modifyTimestamp: 20150420131906Z
>>> nsSSL3Ciphers:
>>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
>>> _56_sha,-tls_dhe_dss_1024_rc4_sha
>>> numSubordinates: 1
>>>
>>>
>>>
>>> But I still get this with nmap.. I thought the above would remove
>>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the
>>> fact that I am not
>>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really
>>> understanding
>>> where it is coming from cept the +all from DS but the - should be
>>> negating that?
>>>
>>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
>>> 2016-04-27 17:37 EDT
>>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
>>> Host is up (0.86s latency).
>>> PORT STATE SERVICE
>>> 636/tcp open ldapssl
>>> | ssl-enum-ciphers:
>>> | TLSv1.2
>>> | Ciphers (13)
>>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
>>> | TLS_RSA_EX

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Sean Hogan

Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start.  Go back into
dse.ldif and modify til it comes back up.




Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397









From:   Ludwig Krispenz <lkris...@redhat.com>
To: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date:   04/28/2016 04:46 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL
Sent by:freeipa-users-boun...@redhat.com



wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
>
> On 04/28/2016 12:06 PM, Martin Kosek wrote:
>> On 04/28/2016 01:23 AM, Sean Hogan wrote:
>>> Hi Martin,
>>>
>>> No joy on placing - in front of the RC4s
>>>
>>>
>>> I modified my nss.conf to now read
>>> # SSL 3 ciphers. SSL 2 is disabled by default.
>>> NSSCipherSuite
>>>
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

>>>
>>>
>>> # SSL Protocol:
>>> # Cryptographic protocols that provide communication security.
>>> # NSS handles the specified protocols as "ranges", and automatically
>>> # negotiates the use of the strongest protocol for a connection
>>> starting
>>> # with the maximum specified protocol and downgrading as necessary
>>> to the
>>> # minimum specified protocol that can be used between two processes.
>>> # Since all protocol ranges are completely inclusive, and no
>>> protocol in the
>>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>>
>>> dse.ldif
>>>
>>> dn: cn=encryption,cn=config
>>> objectClass: top
>>> objectClass: nsEncryptionConfig
>>> cn: encryption
>>> nsSSLSessionTimeout: 0
>>> nsSSLClientAuth: allowed
>>> nsSSL2: off
>>> nsSSL3: off
>>> creatorsName: cn=server,cn=plugins,cn=config
>>> modifiersName: cn=directory manager
>>> createTimestamp: 20150420131850Z
>>> modifyTimestamp: 20150420131906Z
>>> nsSSL3Ciphers:
>>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
>>> _56_sha,-tls_dhe_dss_1024_rc4_sha
>>> numSubordinates: 1
>>>
>>>
>>>
>>> But I still get this with nmap.. I thought the above would remove
>>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the
>>> fact that I am not
>>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really
>>> understanding
>>> where it is coming from cept the +all from DS but the - should be
>>> negating that?
>>>
>>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
>>> 2016-04-27 17:37 EDT
>>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
>>> Host is up (0.86s latency).
>>> PORT STATE SERVICE
>>> 636/tcp open ldapssl
>>> | ssl-enum-ciphers:
>>> | TLSv1.2
>>> | Ciphers (13)
>>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA256
>>> | TLS_RSA_WITH_AES_128_GCM_SHA256
>>> | TLS_RSA_WITH_AES_256_CBC_SHA
>>> | TLS_RSA_WITH_AES_256_CBC_SHA256
>>> | TLS_RSA_WITH_DES_CBC_SHA
>>> | TLS_RSA_WITH_RC4_128_MD5
>>> | TLS_RSA_WITH_RC4_128_SHA
>>> | Compressors (1)
>>> |_ uncompressed
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
>>>
>>>
>>>
>>> It seems no matter what config I put into nss.conf or dse.ldif
>>> nothing changes
>>> with my nmap results. Is there supposed to be a be a section to add
>>> TLS ciphers
>>> instead of SSL
>> Not sure now, CCing Ludwig who was involved in the original RHEL-6
>> implementation.
> If I remember correctly we did the change in default ciphers and the
> option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
> adding Noriko to get confirmation.
>
> but the below comments about changing ciphers in dse.ldif could help
> in usi

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Ludwig Krispenz

wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:


On 04/28/2016 12:06 PM, Martin Kosek wrote:

On 04/28/2016 01:23 AM, Sean Hogan wrote:

Hi Martin,

No joy on placing - in front of the RC4s


I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha 



# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection 
starting
# with the maximum specified protocol and downgrading as necessary 
to the

# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no 
protocol in the

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers: 
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the 
fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really 
understanding
where it is coming from cept the +all from DS but the - should be 
negating that?


Starting Nmap 5.51 ( http://nmap.org  ) at 
2016-04-27 17:37 EDT

Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.86s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif 
nothing changes
with my nmap results. Is there supposed to be a be a section to add 
TLS ciphers

instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.
If I remember correctly we did the change in default ciphers and the 
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, 
adding Noriko to get confirmation.


but the below comments about changing ciphers in dse.ldif could help 
in using the "old" way to set ciphers

Just to be sure, when you are modifying dse.ldif, the procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten later.

In any case, the ciphers with RHEL-6 should be secure enough, the 
ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap 
taken on

FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
Host is up (0.18s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds

Martin




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht 

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Ludwig Krispenz


On 04/28/2016 12:06 PM, Martin Kosek wrote:

On 04/28/2016 01:23 AM, Sean Hogan wrote:

Hi Martin,

No joy on placing - in front of the RC4s


I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am 
not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
where it is coming from cept the +all from DS but the - should be negating that?

Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-27 17:37 
EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.86s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be a section to add TLS ciphers
instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.
If I remember correctly we did the change in default ciphers and the 
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, 
adding Noriko to get confirmation.


but the below comments about changing ciphers in dse.ldif could help in 
using the "old" way to set ciphers

Just to be sure, when you are modifying dse.ldif, the procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten later.

In any case, the ciphers with RHEL-6 should be secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap taken on
FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
Host is up (0.18s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds

Martin


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

--
Manage your 

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-28 Thread Martin Kosek
On 04/28/2016 01:23 AM, Sean Hogan wrote:
> Hi Martin,
> 
> No joy on placing - in front of the RC4s
> 
> 
> I modified my nss.conf to now read
> # SSL 3 ciphers. SSL 2 is disabled by default.
> NSSCipherSuite 
> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
> 
> # SSL Protocol:
> # Cryptographic protocols that provide communication security.
> # NSS handles the specified protocols as "ranges", and automatically
> # negotiates the use of the strongest protocol for a connection starting
> # with the maximum specified protocol and downgrading as necessary to the
> # minimum specified protocol that can be used between two processes.
> # Since all protocol ranges are completely inclusive, and no protocol in the
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
> 
> dse.ldif
> 
> dn: cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionConfig
> cn: encryption
> nsSSLSessionTimeout: 0
> nsSSLClientAuth: allowed
> nsSSL2: off
> nsSSL3: off
> creatorsName: cn=server,cn=plugins,cn=config
> modifiersName: cn=directory manager
> createTimestamp: 20150420131850Z
> modifyTimestamp: 20150420131906Z
> nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
> _56_sha,-tls_dhe_dss_1024_rc4_sha
> numSubordinates: 1
> 
> 
> 
> But I still get this with nmap.. I thought the above would remove 
> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I 
> am not
> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really 
> understanding 
> where it is coming from cept the +all from DS but the - should be negating 
> that?
> 
> Starting Nmap 5.51 ( http://nmap.org  ) at 2016-04-27 17:37 
> EDT
> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
> Host is up (0.86s latency).
> PORT STATE SERVICE
> 636/tcp open ldapssl
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (13)
> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA
> | TLS_RSA_WITH_AES_128_CBC_SHA256
> | TLS_RSA_WITH_AES_128_GCM_SHA256
> | TLS_RSA_WITH_AES_256_CBC_SHA
> | TLS_RSA_WITH_AES_256_CBC_SHA256
> | TLS_RSA_WITH_DES_CBC_SHA
> | TLS_RSA_WITH_RC4_128_MD5
> | TLS_RSA_WITH_RC4_128_SHA
> | Compressors (1)
> |_ uncompressed
> 
> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
> 
> 
> 
> It seems no matter what config I put into nss.conf or dse.ldif nothing 
> changes 
> with my nmap results. Is there supposed to be a be a section to add TLS 
> ciphers 
> instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation. Just to be sure, when you are modifying dse.ldif, the procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten later.

In any case, the ciphers with RHEL-6 should be secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap taken on
FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
Host is up (0.18s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan
Hi Martin,

  No joy on placing - in front of the RC4s


I modified my nss.conf  to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

#   SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1



But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing.  Is it the fact that
I am not
offering -tls_rsa_export1024_with_rc4_56_sha?  If so.. not really
understanding where it is coming from cept the +all from DS but the -
should be negating that?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.86s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds



It seems no matter what config I put into nss.conf or dse.ldif nothing
changes with my nmap results.  Is there supposed to be a be a section to
add TLS ciphers instead of SSL



Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Martin Kosek <mko...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 09:59 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL




I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.


And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.


So I do see RC4 and the exports so I guess I can - those in the dse.ldif





From:   Sean Hogan/Durham/IBM
To: Martin Kosek <mko...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date:   04/2

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan

Hi Alex,

   Just wanted to make sure.. needed to know if I had to upgrade or spend
more time trial and erroring this out.

So since my nmap is showing this
[bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636
`hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT
Nmap scan report for
Host is up (0.90s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds


I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS
actually names this to be and it looks like these have to be removed
  
 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha
  
tls_dhe_dss_1024_rc4_sha  
  
tls_rsa_export1024_with_rc4_56_sh 
  
  
  
 I stopped IPA with ipactl stop   
 modified dse.ldif with this  
  
  


nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
allowweakcipher: off
numSubordinates: 1

Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT
Nmap scan report for
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Am I doing something wrong here?



Sean Hogan







From:   Alexander Bokovoy <aboko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 10:35 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



On Wed, 27 Apr 2016, Sean Hogan wrote:
>
>Hello Alexander
>
>
>I knew the below which is why I added my DS rpm version in the orig email
>which made sense to me but per 389 DS docs alloowweakcipher starts in
>1.3.3.2 in case anyone else reads this.  At least thats what the docs say
>but you may know something where it actually does not work til 1.3.4.0.  I
>dunno
>
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
>
>
>Additionally I want to clarify the comment 4.3.1 has this as default
setup.
>Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
>stronger ssl config and that anyone who needs tighter cipher control needs
>to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Alexander Bokovoy

On Wed, 27 Apr 2016, Sean Hogan wrote:


Hello Alexander


I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this.  At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0.  I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html


Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan

Hello Alexander


I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this.  At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0.  I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html


Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

Sean Hogan






From:   Alexander Bokovoy <aboko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date:   04/26/2016 11:52 PM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



On Tue, 26 Apr 2016, Sean Hogan wrote:
>
>
>Hello,
>
>  We currently have 7 ipa servers in multi master running:
>
>ipa-server-3.0.0-47.el6_7.1.x86_64
>389-ds-base-1.2.11.15-68.el6_7.x86_64
>
>Tenable is showing the use of weak ciphers along with freak
>vulnerabilities.  I have followed
>https://access.redhat.com/solutions/675183 however issues remain in the
>ciphers being used.
$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.


>
>I have also modified dse.ldif with the following from
>
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

>
>With ipa stopped I modified dse with  below
>
>odifyTimestamp: 20150420131906Z
>nsSSL3Ciphers: +all,-rsa_null_sha
>allowWeakCipher: off
>numSubordinates: 1
>
>I turn on ipa and get
>Starting Directory Service
>Starting dirsrv:
>PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
>"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
>
>So I go back into the file and allowWeakCipher now shows allowweakcipher
>(caps for W and C are now lower case)
attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

>
>nss.conf
>
>
># new config to stop using weak ciphers.
>NSSCipherSuite
>-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha

>   SSL Protocol:
>#   Cryptographic protocols that provide communication security.
>#   NSS handles the specified protocols as "ranges", and automatically
>#   negotiates the use of the strongest protocol for a connection starting
>#   with the maximum specified protocol and downgrading as necessary to
the
>#   minimum specified protocol that can be used between two processes.
>#   Since all protocol ranges are completely inclusive, and no protocol in
>the
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>
>server.xml
>
>   clientAuth="true"
>   sslOptions="ssl2=off,ssl3=off,tls=true"
>
>ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

>
>ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>
>
>
>
>Is there a config for this version of IPA/DS somewhere that will pass
>poodle, freak, null ci

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan


I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.78s latency).
PORTSTATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
| Ciphers (13)
|   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|   SSL_RSA_FIPS_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|   TLS_RSA_WITH_3DES_EDE_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA
|   TLS_RSA_WITH_AES_128_CBC_SHA256
|   TLS_RSA_WITH_AES_128_GCM_SHA256
|   TLS_RSA_WITH_AES_256_CBC_SHA
|   TLS_RSA_WITH_AES_256_CBC_SHA256
|   TLS_RSA_WITH_DES_CBC_SHA
|   TLS_RSA_WITH_RC4_128_MD5
|   TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_  uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds


Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821  Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.


And 636 and 389 for

Plugin ID: 81606  port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.


So I do see RC4 and the exports so I guess I can - those in the dse.ldif




From:   Sean Hogan/Durham/IBM
To: Martin Kosek <mko...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date:   04/27/2016 09:33 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL


Hi Martin,


   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.



Sean Hogan








From:   Martin Kosek <mko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
<freeipa-users@redhat.com>
Date:   04/27/2016 01:43 AM
Subject:        Re: [Freeipa-users] IPA vulnerability management SSL



On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
>
> We currently have 7 ipa servers in multi master running:
>
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
>
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
ciphers
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Sean Hogan

Hi Martin,


   Thanks for the response.  We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.



Sean Hogan







From:   Martin Kosek <mko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
<freeipa-users@redhat.com>
Date:   04/27/2016 01:43 AM
Subject:    Re: [Freeipa-users] IPA vulnerability management SSL



On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
>
> We currently have 7 ipa servers in multi master running:
>
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
>
> Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the
ciphers
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Martin Kosek
On 04/27/2016 07:27 AM, Sean Hogan wrote:
> Hello,
> 
> We currently have 7 ipa servers in multi master running:
> 
> ipa-server-3.0.0-47.el6_7.1.x86_64
> 389-ds-base-1.2.11.15-68.el6_7.x86_64
> 
> Tenable is showing the use of weak ciphers along with freak vulnerabilities. 
> I 
> have followed
> https://access.redhat.com/solutions/675183 however issues remain in the 
> ciphers 
> being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-27 Thread Alexander Bokovoy

On Tue, 26 Apr 2016, Sean Hogan wrote:



Hello,

 We currently have 7 ipa servers in multi master running:

ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64

Tenable is showing the use of weak ciphers along with freak
vulnerabilities.  I have followed
https://access.redhat.com/solutions/675183 however issues remain in the
ciphers being used.

$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.




I have also modified dse.ldif with the following from
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

With ipa stopped I modified dse with  below

odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1

I turn on ipa and get
Starting Directory Service
Starting dirsrv:
   PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed

So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)

attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.



nss.conf


# new config to stop using weak ciphers.
NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
  SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


server.xml

  clientAuth="true"
  sslOptions="ssl2=off,ssl3=off,tls=true"

ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"





Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?

FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org=on

Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project