On 09/23/2015 11:00 AM, Michael Lasevich wrote: > OK, this is most bizarre issue, > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > for the life of me cannot get it to work > > I have followed many nearly identical instructions to create ldif file and > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough - > and I get it to take, and during the startup I can see the right SSL Cipher > Suites listed in errors.log - but when it starts and I probe it, RC4 > ciphers are still there. I am completely confused. > > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4") > and to old style cyphers lists(lowercase), and new style cypher > lists(uppercase), and nothing seems to make any difference. > > Any ideas? > > -M
Are you asking about standalone 389-DS or the one integrated in FreeIPA? As with currently supported versions of FreeIPA, RC4 ciphers should be already gone, AFAIK. In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 https://fedorahosted.org/freeipa/ticket/4653 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
