Marat Vyshegorodtsev wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS version though): > > NSSProtocol TLSv1.2 > NSSCipherSuite > -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
The -All is a syntax error (ignored). All ciphers are disabled by default anyway. I'd suggest using the ticket already referenced as a starting point. /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is enabled by default in NSS (though again, everything is disabled by mod_nss at startup). rob > > My cert is ECDSA private CA though. If you are interested, I can give > you my chef recipe snippets to configure it. > > On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev > <[email protected]> wrote: >> My two cents: >> >> My "magic" string for NSS is like this (I had to move to Fedora 23 >> from CentOS in order to get more recent NSS version though): >> >> NSSProtocol TLSv1.2 >> NSSCipherSuite >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 >> >> My cert is ECDSA private CA though. If you are interested, I can give >> you my chef recipe snippets to configure it. >> >> Marat >> >> On Fri, Jan 22, 2016 at 1:54 AM, Terry John >> <[email protected]> wrote: >>>>> I've been trying to tidy the security on my FreeIPA and this is >>>>> causing me some problems. I'm using OpenVAS vulnerability scanner and >>>>> it is coming up with this issue >>>>> >>>>> EXPORT_RSA cipher suites supported by the remote server: >>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>>>> >>>>> It seems we have to disable export TLS ciphers but I can't see how. I've >>>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >>>> >>>>> NSSCipherSuite -all,-exp,+<the ones I want> >>>>> >>>>> I've restarted httpd and ipa but it still fails >>>>> >>>>> Is there something I have overlooked >>> >>> >>>> Hi Terry, >>>> >>>> Please check >>>> https://fedorahosted.org/freeipa/ticket/5589 >>>> >>>> We are trying to come up with a better cipher suite right now. The fix >>>> should be in some of the next FreeIPA 4.3.x versions. >>>> >>>> The ticket has more details in it. >>> >>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in >>> that ticket but none so far has eliminated the FREAK report. >>> Christian thanks for the heads up on the syntax, I wasn't sure of what I >>> was doing >>> >>> Each time I've made a change I've run an sslscan from the OpenVAS scanner >>> and I do get a different result each time but the errors still remains in >>> OpenVAS. >>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. >>> >>> Back to the drawing board :-) >>> >>> >>> >>> >>> The Manheim group of companies within the UK comprises: Manheim Europe >>> Limited (registered number: 03183918), Manheim Auctions Limited (registered >>> number: 00448761), Manheim Retail Services Limited (registered number: >>> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time >>> Communications Limited (registered number: 04277845) and Complete >>> Automotive Solutions Limited (registered number: 05302535). Each of these >>> companies is registered in England and Wales with the registered office >>> address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim >>> group of companies operates under various brand/trading names including >>> Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim >>> De-fleet and Manheim Aftersales Solutions. >>> >>> V:0CF72C13B2AC >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
