On 2016-01-21 17:54, Terry John wrote: >>> I've been trying to tidy the security on my FreeIPA and this is >>> causing me some problems. I'm using OpenVAS vulnerability scanner and >>> it is coming up with this issue >>> >>> EXPORT_RSA cipher suites supported by the remote server: >>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>> >>> It seems we have to disable export TLS ciphers but I can't see how. I've >>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >> >>> NSSCipherSuite -all,-exp,+<the ones I want> >>> >>> I've restarted httpd and ipa but it still fails >>> >>> Is there something I have overlooked > > >> Hi Terry, >> >> Please check >> https://fedorahosted.org/freeipa/ticket/5589 >> >> We are trying to come up with a better cipher suite right now. The fix >> should be in some of the next FreeIPA 4.3.x versions. >> >> The ticket has more details in it. > > Thanks for the info. I have tried nearly all the NSSCipherSuite settings in > that ticket but none so far has eliminated the FREAK report. > Christian thanks for the heads up on the syntax, I wasn't sure of what I was > doing > > Each time I've made a change I've run an sslscan from the OpenVAS scanner and > I do get a different result each time but the errors still remains in OpenVAS. > Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. > > Back to the drawing board :-)
The TLS/SSL configuration of the LDAP server is handled by a different configuration file. It's on my radar, but I haven't touched it yet. LDAP clients and browsers are different beasts. ssllabs.com makes it very convenient to test a site against all relevant browsers. There is no such service for LDAP. By the way does OpenVAS also detect issues on 389/TCP for LDAP with STARTTLS? 389/TCP talks plain TCP first but can be upgrade to TLS with STARTTLS. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
