Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Managed to get PKI/Tomcat patched for TLS 1.2.

*/etc/pki/pki-tomcat/server.xml*
*...*
* sslVersionRangeStream="tls1_2:tls1_2" *

*sslVersionRangeDatagram="tls1_2:tls1_2" *

*...*
Thanks, resolved.

On Thu, Apr 27, 2017 at 10:01 PM Callum Guy  wrote:

> For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0
>
> Directory server change suggested on the link are for an older version.
> Minimum TLS support can be altered as follows:
>
> */etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*
>
> dn: cn=encryption,cn=config
>
> allowWeakCipher: off
>
> cn: encryption
>
> createTimestamp: 20161130110528Z
>
> creatorsName: cn=server,cn=plugins,cn=config
>
> modifiersName: cn=Directory Manager
>
> modifyTimestamp: 20161213085006Z
>
> nsSSLClientAuth: allowed
>
> nsSSLSessionTimeout: 0
>
> nsSSL3Ciphers: default
>
> objectClass: top
>
> objectClass: nsEncryptionConfig
> sslVersionMin: TLS1.2
>
> I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
> /usr/share/pki/server/conf/server.xml seems to roughly match the linked
> article however its all tokenized as shown below:
>
> 203sslOptions="[TOMCAT_SSL_OPTIONS]"
> 204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
> 205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
> 206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
> 207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
> 208
>  sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
> 209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
>
> I'll feed back if i work it out.
>
> Thanks,
>
> On Thu, Apr 27, 2017 at 8:22 PM Callum Guy  wrote:
>
>> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
>> i run into any issues - i find it difficult to locate these help pages so
>> really do appreciate the advice
>>
>> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden 
>> wrote:
>>
>>> Callum Guy wrote:
>>> > Hi All,
>>> >
>>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>>> > assessment.
>>> >
>>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>>> > non-compliant for my environment.
>>> >
>>> > Also i'm very much hoping not to break my installation!
>>> >
>>> > Does anyone have experience in this area?
>>>
>>> It depends very much on what version you are running but see
>>> https://access.redhat.com/articles/2801181 for inspiration.
>>>
>>> rob
>>>
>>>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0

Directory server change suggested on the link are for an older version.
Minimum TLS support can be altered as follows:

*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*

dn: cn=encryption,cn=config

allowWeakCipher: off

cn: encryption

createTimestamp: 20161130110528Z

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=Directory Manager

modifyTimestamp: 20161213085006Z

nsSSLClientAuth: allowed

nsSSLSessionTimeout: 0

nsSSL3Ciphers: default

objectClass: top

objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2

I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
article however its all tokenized as shown below:

203sslOptions="[TOMCAT_SSL_OPTIONS]"
204ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

I'll feed back if i work it out.

Thanks,

On Thu, Apr 27, 2017 at 8:22 PM Callum Guy  wrote:

> Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
> i run into any issues - i find it difficult to locate these help pages so
> really do appreciate the advice
>
> On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden 
> wrote:
>
>> Callum Guy wrote:
>> > Hi All,
>> >
>> > I'm currently looking at hardening my FreeIPA server as part of a PCI
>> > assessment.
>> >
>> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
>> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
>> > non-compliant for my environment.
>> >
>> > Also i'm very much hoping not to break my installation!
>> >
>> > Does anyone have experience in this area?
>>
>> It depends very much on what version you are running but see
>> https://access.redhat.com/articles/2801181 for inspiration.
>>
>> rob
>>
>>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Callum Guy 
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if i
run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice

On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden  wrote:

> Callum Guy wrote:
> > Hi All,
> >
> > I'm currently looking at hardening my FreeIPA server as part of a PCI
> > assessment.
> >
> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is
> > non-compliant for my environment.
> >
> > Also i'm very much hoping not to break my installation!
> >
> > Does anyone have experience in this area?
>
> It depends very much on what version you are running but see
> https://access.redhat.com/articles/2801181 for inspiration.
>
> rob
>
>

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] TLS 1.2 for PKI+SLAPD

2017-04-27 Thread Rob Crittenden 
Callum Guy wrote:
> Hi All,
> 
> I'm currently looking at hardening my FreeIPA server as part of a PCI
> assessment.
> 
> I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
> only TLS1.2 - both currently support TLS1.0 and unfortunately that is
> non-compliant for my environment.
> 
> Also i'm very much hoping not to break my installation!
> 
> Does anyone have experience in this area?

It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project