On Tue, Jun 16, 2020 at 12:58 PM Chris Herdt <[email protected]> wrote: > I have an appliance that I want to use with our FreeIPA-provided LDAP > servers. The appliance only supports the following ciphers: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) > > I tried changing the following in dse.ldif, based on > http://www.port389.org/docs/389ds/design/nss-cipher-design.html: > > nsSSL3Ciphers: +all > > However, this enabled only the following 7 ciphers (based on the output of > nmap > --script ssl-enum-ciphers -p 636 freeipa-01.example.com): > > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_RSA_WITH_SEED_CBC_SHA > > Here's the content of the dn: cn=encryption,cn=config section: > > dn: cn=encryption,cn=config > CACertExtractFile: /etc/dirsrv/slapd-EXAMPLE-COM/CN3dUSERTrust20RSA20Certif > > ication20Authority2cO3dThe20USERTRUST20Network2cL3dJersey20City2cST3dNew20Jer > sey2cC3dUS.pem > allowWeakCipher: off > cn: encryption > createTimestamp: 20181108213233Z > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=server,cn=plugins,cn=config > modifyTimestamp: 20181108213359Z > nsSSL3Ciphers: +all > nsSSLClientAuth: allowed > nsSSLSessionTimeout: 0 > objectClass: top > objectClass: nsEncryptionConfig > sslVersionMin: TLS1.2 > numSubordinates: 1 > > Any ideas why this change isn't enabling the additional ciphers? Thanks! >
I should have mentioned, my FreeIPA servers are running ipa-server 4.6.6 on CentOS 7.8.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
