That did it. Thank you.
On Thu, Sep 24, 2015 at 12:59 AM, Martin Kosek <[email protected]> wrote: > Hello Michael, > > It is possible that this problem comes from obsolete package in the > mkosek/freeipa COPR repo, which was fixed in Fedora/RHEL, but not there. > > Can you please try to update the 389-ds-base from > > https://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > ? I rebuilt the latest F21 389-ds-base to the repo, there were some > related fixes. > > Thanks, > Martin > > On 09/23/2015 05:50 PM, Michael Lasevich wrote: > > No difference. It is as if this setting is being overwritten somewhere > deep > > in 389ds, because the "error" log correctly reflects the changes, but the > > actual process does not. (and yes, I verified that the process actually > > shuts down and start up again when I restart it) > > > > ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" > > # encryption, config > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > sslVersionMin: TLS1.0 > > nsSSL3Ciphers: +all > > allowWeakCipher: off > > nsSSL3: off > > nsSSL2: off > > ... (skipping nssslenabledciphers's) ... > > nsTLS1: on > > sslVersionMax: TLS1.2 > > > > SLAPD error log got longer: > > > > SSL Initialization - Configured SSL version range: min: TLS1.0, max: > TLS1.2 > > [23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:28 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_GCM_SHA384: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > > [23/Sep/2015:09:37:29 -0600] - SSL alert: > TLS_RSA_WITH_SEED_CBC_SHA: > > enabled > > [23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 > starting > > up > > > > SSLScan Output: > > > > sslscan --no-failed localhost:636 > > > > ... > > Supported Server Cipher(s): > > Accepted TLSv1 256 bits AES256-SHA > > Accepted TLSv1 128 bits AES128-SHA > > Accepted TLSv1 128 bits DES-CBC3-SHA > > Accepted TLSv1 128 bits RC4-SHA > > Accepted TLSv1 128 bits RC4-MD5 > > Accepted TLS11 256 bits AES256-SHA > > Accepted TLS11 128 bits AES128-SHA > > Accepted TLS11 128 bits DES-CBC3-SHA > > Accepted TLS11 128 bits RC4-SHA > > Accepted TLS11 128 bits RC4-MD5 > > Accepted TLS12 256 bits AES256-SHA256 > > Accepted TLS12 256 bits AES256-SHA > > Accepted TLS12 128 bits AES128-GCM-SHA256 > > Accepted TLS12 128 bits AES128-SHA256 > > Accepted TLS12 128 bits AES128-SHA > > Accepted TLS12 128 bits DES-CBC3-SHA > > Accepted TLS12 128 bits RC4-SHA > > Accepted TLS12 128 bits RC4-MD5 > > > > > > On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <[email protected]> > > wrote: > > > >> > >> On 09/23/2015 05:05 PM, Michael Lasevich wrote: > >> > >> Yes, I am talking about 389ds as is integrated in FreeIPA (would be > silly > >> to post completely non-IPA questions to this list...). > >> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 > no > >> matter what I do. > >> > >> I am running "CentOS Linux release 7.1.1503 (Core)" > >> > >> Relevant Packages: > >> > >> freeipa-server-4.1.4-1.el7.centos.x86_64 > >> 389-ds-base-1.3.3.8-1.el7.centos.x86_64 > >> nss-3.19.1-5.el7_1.x86_64 > >> openssl-1.0.1e-42.el7.9.x86_64 > >> > >> LDAP setting (confirmed that in error.log there is no menition of RC4 in > >> list of ciphers): > >> > >> nsSSL3Ciphers: > >> > -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha > >> > >> with ipa the config entry should contain: > >> > >> dn: cn=encryption,cn=config > >> allowWeakCipher: off > >> nsSSL3Ciphers: +all > >> > >> could you try this setting > >> > >> Slapd "error" log showing no ciphersuites supporting RC4: > >> > >> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version > >> range: min: TLS1.0, max: TLS1.2 > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not > >> available in NSS 3.16. Ignoring fortezza > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite > >> fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring > >> fortezza_rc4_128_sha > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is > >> not available in NSS 3.16. Ignoring fortezza_null > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_RSA_WITH_AES_128_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - SSL alert: > >> TLS_RSA_WITH_AES_256_CBC_SHA: enabled > >> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128 > >> starting up > >> > >> But sslscan returns: > >> > >> $ sslscan --no-failed localhost:636 > >> ... > >> > >> Supported Server Cipher(s): > >> > >> Accepted TLSv1 256 bits AES256-SHA > >> Accepted TLSv1 128 bits AES128-SHA > >> Accepted TLSv1 128 bits DES-CBC3-SHA > >> Accepted TLSv1 128 bits RC4-SHA > >> Accepted TLSv1 128 bits RC4-MD5 > >> Accepted TLS11 256 bits AES256-SHA > >> Accepted TLS11 128 bits AES128-SHA > >> Accepted TLS11 128 bits DES-CBC3-SHA > >> Accepted TLS11 128 bits RC4-SHA > >> Accepted TLS11 128 bits RC4-MD5 > >> Accepted TLS12 256 bits AES256-SHA256 > >> Accepted TLS12 256 bits AES256-SHA > >> Accepted TLS12 128 bits AES128-GCM-SHA256 > >> Accepted TLS12 128 bits AES128-SHA256 > >> Accepted TLS12 128 bits AES128-SHA > >> Accepted TLS12 128 bits DES-CBC3-SHA > >> Accepted TLS12 128 bits RC4-SHA > >> Accepted TLS12 128 bits RC4-MD5 > >> > >> ... > >> > >> > >> I would assume the sslscan is broken, but nmap and other scanners all > >> confirm that RC4 is still on. > >> > >> -M > >> > >> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <[email protected]> > wrote: > >> > >>> On 09/23/2015 11:00 AM, Michael Lasevich wrote: > >>>> OK, this is most bizarre issue, > >>>> > >>>> I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) > >>> and > >>>> for the life of me cannot get it to work > >>>> > >>>> I have followed many nearly identical instructions to create ldif file > >>> and > >>>> change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple > >>> enough - > >>>> and I get it to take, and during the startup I can see the right SSL > >>> Cipher > >>>> Suites listed in errors.log - but when it starts and I probe it, RC4 > >>>> ciphers are still there. I am completely confused. > >>>> > >>>> I tried setting "nsSSL3Ciphers" to "default" (which does not have > "RC4") > >>>> and to old style cyphers lists(lowercase), and new style cypher > >>>> lists(uppercase), and nothing seems to make any difference. > >>>> > >>>> Any ideas? > >>>> > >>>> -M > >>> > >>> Are you asking about standalone 389-DS or the one integrated in > FreeIPA? > >>> As > >>> with currently supported versions of FreeIPA, RC4 ciphers should be > >>> already > >>> gone, AFAIK. > >>> > >>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later: > >>> > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687 > >>> https://fedorahosted.org/freeipa/ticket/4653 > >>> > >> > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
