Re: [Freeipa-users] How to turn off RC4 in 389ds???

Michael Lasevich Wed, 23 Sep 2015 12:38:58 -0700

I actually just posted that in a previous email. The only thing I cut out
were nsSSLEnabledCiphers - but here is the complete listing:


#  ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=encryption,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3Ciphers: +all
allowWeakCipher: off
nsSSL3: off
nsSSL2: off
nsSSLSupportedCiphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD:
 :128
nsSSLSupportedCiphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD:
 :256
nsSSLSupportedCiphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1
 28
nsSSLSupportedCiphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2
 56
nsSSLSupportedCiphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::2
 56
nsSSLSupportedCiphers:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1
 28
nsSSLSupportedCiphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers:
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers:
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::
 128
nsSSLSupportedCiphers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nsSSLSupportedCiphers:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::
 256
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nsSSLSupportedCiphers:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nsSSLSupportedCiphers:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128
nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128
nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128
nssslenabledciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1
 28
nssslenabledciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2
 56
nssslenabledciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12
 8
nssslenabledciphers:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12
 8
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nssslenabledciphers:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25
 6
nssslenabledciphers:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25
 6
nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256
nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
nssslenabledciphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
nsTLS1: on
sslVersionMax: TLS1.2

# RSA, encryption, config
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
cn: RSA
nsSSLToken: internal (software)

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


On Wed, Sep 23, 2015 at 11:53 AM, Martin Kosek <[email protected]> wrote:

> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
>> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
>> to
>> post completely non-IPA questions to this list...).
>>
>
> You would not be the first to do it :-)
>
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no
>> matter what I do.
>>
>> I am running "CentOS Linux release 7.1.1503 (Core)"
>>
>> Relevant Packages:
>>
>> freeipa-server-4.1.4-1.el7.centos.x86_64
>> 389-ds-base-1.3.3.8-1.el7.centos.x86_64
>> nss-3.19.1-5.el7_1.x86_64
>> openssl-1.0.1e-42.el7.9.x86_64
>>
>> LDAP setting (confirmed that in error.log there is no menition of RC4 in
>> list
>> of ciphers):
>>
>> nsSSL3Ciphers:
>>
>> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
>>
>
> Something is really strange here. We need to see settings in
> "cn=encryption,cn=config" to investigate further.
>
> $ ldapsearch -h ipa.example.com -b cn=encryption,cn=config -D
> "cn=Directory Manager" -x -W
>
> should be a good start to give this information. nsSSL3Ciphers for example
> should be set to "+all" and "allowWeakCipher" to off, as per
>
> http://fedorahosted.org/freeipa/ticket/4395
>
> Slapd "error" log showing no ciphersuites supporting RC4:
>>
>> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version
>> range:
>> min: TLS1.0, max: TLS1.2
>> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not
>> available in NSS 3.16.  Ignoring fortezza
>> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
>> fortezza_rc4_128_sha is
>> not available in NSS 3.16.  Ignoring fortezza_rc4_128_sha
>> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is
>> not
>> available in NSS 3.16.  Ignoring fortezza_null
>> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>>  TLS_RSA_WITH_AES_128_CBC_SHA:
>> enabled
>> [23/Sep/2015:08:51:04 -0600] - SSL alert:
>>  TLS_RSA_WITH_AES_256_CBC_SHA:
>> enabled
>> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 <http://1.3.3.8>
>>
>> B2015.040.128 starting up
>>
>>
>> But sslscan returns:
>>
>> $ sslscan --no-failed localhost:636
>> ...
>>
>> Supported Server Cipher(s):
>>
>>      Accepted  TLSv1  256 bits  AES256-SHA
>>      Accepted  TLSv1  128 bits  AES128-SHA
>>      Accepted  TLSv1  128 bits  DES-CBC3-SHA
>>      Accepted  TLSv1  128 bits  RC4-SHA
>>      Accepted  TLSv1  128 bits  RC4-MD5
>>      Accepted  TLS11  256 bits  AES256-SHA
>>      Accepted  TLS11  128 bits  AES128-SHA
>>      Accepted  TLS11  128 bits  DES-CBC3-SHA
>>      Accepted  TLS11  128 bits  RC4-SHA
>>      Accepted  TLS11  128 bits  RC4-MD5
>>      Accepted  TLS12  256 bits  AES256-SHA256
>>      Accepted  TLS12  256 bits  AES256-SHA
>>      Accepted  TLS12  128 bits  AES128-GCM-SHA256
>>      Accepted  TLS12  128 bits  AES128-SHA256
>>      Accepted  TLS12  128 bits  AES128-SHA
>>      Accepted  TLS12  128 bits  DES-CBC3-SHA
>>      Accepted  TLS12  128 bits  RC4-SHA
>>      Accepted  TLS12  128 bits  RC4-MD5
>>
>> ...
>>
>>
>> I would assume the sslscan is broken, but nmap and other scanners all
>> confirm
>> that RC4 is still on.
>>
>> -M
>>
>>
>> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>     On 09/23/2015 11:00 AM, Michael Lasevich wrote:
>>      > OK, this is most bizarre issue,
>>      >
>>      > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port
>> 636) and
>>      > for the life of me cannot get it to work
>>      >
>>      > I have followed many nearly identical instructions to create ldif
>> file and
>>      > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple
>> enough -
>>      > and I get it to take, and during the startup I can see the right
>> SSL Cipher
>>      > Suites listed in errors.log - but when it starts and I probe it,
>> RC4
>>      > ciphers are still there. I am completely confused.
>>      >
>>      > I tried setting "nsSSL3Ciphers" to "default" (which does not have
>> "RC4")
>>      > and to old style cyphers lists(lowercase), and new style cypher
>>      > lists(uppercase), and nothing seems to make any difference.
>>      >
>>      > Any ideas?
>>      >
>>      > -M
>>
>>     Are you asking about standalone 389-DS or the one integrated in
>> FreeIPA? As
>>     with currently supported versions of FreeIPA, RC4 ciphers should be
>> already
>>     gone, AFAIK.
>>
>>     In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:
>>
>>     https://bugzilla.redhat.com/show_bug.cgi?id=1154687
>>     https://fedorahosted.org/freeipa/ticket/4653
>>
>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to turn off RC4 in 389ds???

Reply via email to