I'm really confused now. After the problem where my feeipa server would not start and I had to use the backup I'm trying to do things in small steps.
Listening to everything that has been said (thanks) I edited slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines nsSSL3Ciphers: <My-Original-Ciphers> to nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha (There is a space after the colon) Then I did a 'service ip restart' and when I looked the dse.ldif files had reverted back to their original settings.. Where am I going wrong? Terry -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: 28 January 2016 04:49 To: Marat Vyshegorodtsev; Terry John; [email protected] Subject: Re: [Freeipa-users] FREAK Vulnerability Marat Vyshegorodtsev wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS version though): > > NSSProtocol TLSv1.2 > NSSCipherSuite > -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes > _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa > _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_25 > 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa > _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 The -All is a syntax error (ignored). All ciphers are disabled by default anyway. I'd suggest using the ticket already referenced as a starting point. /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is enabled by default in NSS (though again, everything is disabled by mod_nss at startup). rob > > My cert is ECDSA private CA though. If you are interested, I can give > you my chef recipe snippets to configure it. > > On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev > <[email protected]> wrote: >> My two cents: >> >> My "magic" string for NSS is like this (I had to move to Fedora 23 >> from CentOS in order to get more recent NSS version though): >> >> NSSProtocol TLSv1.2 >> NSSCipherSuite >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae >> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecd >> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha >> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_e >> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 >> >> My cert is ECDSA private CA though. If you are interested, I can give >> you my chef recipe snippets to configure it. >> >> Marat >> >> On Fri, Jan 22, 2016 at 1:54 AM, Terry John >> <[email protected]> wrote: >>>>> I've been trying to tidy the security on my FreeIPA and this is >>>>> causing me some problems. I'm using OpenVAS vulnerability scanner >>>>> and it is coming up with this issue >>>>> >>>>> EXPORT_RSA cipher suites supported by the remote server: >>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>>>> >>>>> It seems we have to disable export TLS ciphers but I can't see how. I've >>>>> edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >>>> >>>>> NSSCipherSuite -all,-exp,+<the ones I want> >>>>> >>>>> I've restarted httpd and ipa but it still fails >>>>> >>>>> Is there something I have overlooked >>> >>> >>>> Hi Terry, >>>> >>>> Please check >>>> https://fedorahosted.org/freeipa/ticket/5589 >>>> >>>> We are trying to come up with a better cipher suite right now. The fix >>>> should be in some of the next FreeIPA 4.3.x versions. >>>> >>>> The ticket has more details in it. >>> >>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in >>> that ticket but none so far has eliminated the FREAK report. >>> Christian thanks for the heads up on the syntax, I wasn't sure of >>> what I was doing >>> >>> Each time I've made a change I've run an sslscan from the OpenVAS scanner >>> and I do get a different result each time but the errors still remains in >>> OpenVAS. >>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. >>> >>> Back to the drawing board :-) >>> >>> >>> >>> >>> The Manheim group of companies within the UK comprises: Manheim Europe >>> Limited (registered number: 03183918), Manheim Auctions Limited (registered >>> number: 00448761), Manheim Retail Services Limited (registered number: >>> 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time >>> Communications Limited (registered number: 04277845) and Complete >>> Automotive Solutions Limited (registered number: 05302535). Each of these >>> companies is registered in England and Wales with the registered office >>> address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim >>> group of companies operates under various brand/trading names including >>> Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim >>> De-fleet and Manheim Aftersales Solutions. >>> >>> V:0CF72C13B2AC >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
