My two cents: My "magic" string for NSS is like this (I had to move to Fedora 23 from CentOS in order to get more recent NSS version though):
NSSProtocol TLSv1.2 NSSCipherSuite -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 My cert is ECDSA private CA though. If you are interested, I can give you my chef recipe snippets to configure it. On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev <[email protected]> wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS version though): > > NSSProtocol TLSv1.2 > NSSCipherSuite > -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 > > My cert is ECDSA private CA though. If you are interested, I can give > you my chef recipe snippets to configure it. > > Marat > > On Fri, Jan 22, 2016 at 1:54 AM, Terry John > <[email protected]> wrote: >>>> I've been trying to tidy the security on my FreeIPA and this is >>>> causing me some problems. I'm using OpenVAS vulnerability scanner and >>>> it is coming up with this issue >>>> >>>> EXPORT_RSA cipher suites supported by the remote server: >>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>>> >>>> It seems we have to disable export TLS ciphers but I can't see how. I've >>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >>> >>>> NSSCipherSuite -all,-exp,+<the ones I want> >>>> >>>> I've restarted httpd and ipa but it still fails >>>> >>>> Is there something I have overlooked >> >> >>>Hi Terry, >>> >>>Please check >>>https://fedorahosted.org/freeipa/ticket/5589 >>> >>>We are trying to come up with a better cipher suite right now. The fix >>>should be in some of the next FreeIPA 4.3.x versions. >>> >>>The ticket has more details in it. >> >> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in >> that ticket but none so far has eliminated the FREAK report. >> Christian thanks for the heads up on the syntax, I wasn't sure of what I was >> doing >> >> Each time I've made a change I've run an sslscan from the OpenVAS scanner >> and I do get a different result each time but the errors still remains in >> OpenVAS. >> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. >> >> Back to the drawing board :-) >> >> >> >> >> The Manheim group of companies within the UK comprises: Manheim Europe >> Limited (registered number: 03183918), Manheim Auctions Limited (registered >> number: 00448761), Manheim Retail Services Limited (registered number: >> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time >> Communications Limited (registered number: 04277845) and Complete Automotive >> Solutions Limited (registered number: 05302535). Each of these companies is >> registered in England and Wales with the registered office address of >> Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of >> companies operates under various brand/trading names including Manheim >> Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and >> Manheim Aftersales Solutions. >> >> V:0CF72C13B2AC >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
