Terry John wrote: > I'm really confused now. After the problem where my feeipa server would not > start and I had to use the backup I'm trying to do things in small steps. > > Listening to everything that has been said (thanks) I edited > slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines > > nsSSL3Ciphers: <My-Original-Ciphers> > to > nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha > (There is a space after the colon) > > Then I did a 'service ip restart' and when I looked the dse.ldif files had > reverted back to their original settings.. > > Where am I going wrong?
dse.ldif is written out when the server shuts down so any changes you make to it while 389-ds is running are lost. rob > > Terry > > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: 28 January 2016 04:49 > To: Marat Vyshegorodtsev; Terry John; [email protected] > Subject: Re: [Freeipa-users] FREAK Vulnerability > > Marat Vyshegorodtsev wrote: >> My two cents: >> >> My "magic" string for NSS is like this (I had to move to Fedora 23 >> from CentOS in order to get more recent NSS version though): >> >> NSSProtocol TLSv1.2 >> NSSCipherSuite >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_aes >> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa >> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_25 >> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa >> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 > > The -All is a syntax error (ignored). All ciphers are disabled by default > anyway. > > I'd suggest using the ticket already referenced as a starting point. > > /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what is > enabled by default in NSS (though again, everything is disabled by mod_nss at > startup). > > rob > >> >> My cert is ECDSA private CA though. If you are interested, I can give >> you my chef recipe snippets to configure it. >> >> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev >> <[email protected]> wrote: >>> My two cents: >>> >>> My "magic" string for NSS is like this (I had to move to Fedora 23 >>> from CentOS in order to get more recent NSS version though): >>> >>> NSSProtocol TLSv1.2 >>> NSSCipherSuite >>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae >>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecd >>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha >>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_e >>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 >>> >>> My cert is ECDSA private CA though. If you are interested, I can give >>> you my chef recipe snippets to configure it. >>> >>> Marat >>> >>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John >>> <[email protected]> wrote: >>>>>> I've been trying to tidy the security on my FreeIPA and this is >>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner >>>>>> and it is coming up with this issue >>>>>> >>>>>> EXPORT_RSA cipher suites supported by the remote server: >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) >>>>>> >>>>>> It seems we have to disable export TLS ciphers but I can't see how. >>>>>> I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0. >>>>> >>>>>> NSSCipherSuite -all,-exp,+<the ones I want> >>>>>> >>>>>> I've restarted httpd and ipa but it still fails >>>>>> >>>>>> Is there something I have overlooked >>>> >>>> >>>>> Hi Terry, >>>>> >>>>> Please check >>>>> https://fedorahosted.org/freeipa/ticket/5589 >>>>> >>>>> We are trying to come up with a better cipher suite right now. The fix >>>>> should be in some of the next FreeIPA 4.3.x versions. >>>>> >>>>> The ticket has more details in it. >>>> >>>> Thanks for the info. I have tried nearly all the NSSCipherSuite settings >>>> in that ticket but none so far has eliminated the FREAK report. >>>> Christian thanks for the heads up on the syntax, I wasn't sure of >>>> what I was doing >>>> >>>> Each time I've made a change I've run an sslscan from the OpenVAS scanner >>>> and I do get a different result each time but the errors still remains in >>>> OpenVAS. >>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. >>>> >>>> Back to the drawing board :-) >>>> >>>> >>>> >>>> >>>> The Manheim group of companies within the UK comprises: Manheim Europe >>>> Limited (registered number: 03183918), Manheim Auctions Limited >>>> (registered number: 00448761), Manheim Retail Services Limited (registered >>>> number: 02838588), Motors.co.uk Limited (registered number: 05975777), >>>> Real Time Communications Limited (registered number: 04277845) and >>>> Complete Automotive Solutions Limited (registered number: 05302535). Each >>>> of these companies is registered in England and Wales with the registered >>>> office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The >>>> Manheim group of companies operates under various brand/trading names >>>> including Manheim Inspection Services, Manheim Auctions, Manheim Direct, >>>> Manheim De-fleet and Manheim Aftersales Solutions. >>>> >>>> V:0CF72C13B2AC >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
