Can someone at RH update this article https://access.redhat.com/articles/1467293 ? I found it to be fairly useful, but I'm not sure if it's up to date.
On Thu, Jan 28, 2016 at 11:04 AM, Terry John < [email protected]> wrote: > Ok thanks for that but I've had to give up, our freeipa server is too > critical to our business for me to continue even with outages of one or two > minutes. > > The Ciphers below were not recognised and when I just tried to remove the > export ciphers from the original list I got this error > (Netscape Portable Runtime error -12266 - An unknown SSL cipher suite has > been requested.) > > A type or a fundamental problem I don't know. > > I am working in an AWS environment and have tried making a clone and > working on that but freeipa just gets confused and stops. I suppose another > alternative is to build a freeipa server from scratch and work on that. > Seems an awful lot of work to remove one cipher :-( > > terry > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: 28 January 2016 14:35 > To: Terry John; Marat Vyshegorodtsev; [email protected] > Subject: Re: [Freeipa-users] FREAK Vulnerability > > Terry John wrote: > > I'm really confused now. After the problem where my feeipa server would > not start and I had to use the backup I'm trying to do things in small > steps. > > > > Listening to everything that has been said (thanks) I edited > > slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines > > > > nsSSL3Ciphers: <My-Original-Ciphers> > > to > > nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_g > > cm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ > > ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_ > > 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes > > _128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_25 > > 6_sha > > (There is a space after the colon) > > > > Then I did a 'service ip restart' and when I looked the dse.ldif files > had reverted back to their original settings.. > > > > Where am I going wrong? > > dse.ldif is written out when the server shuts down so any changes you make > to it while 389-ds is running are lost. > > rob > > > > > Terry > > > > > > -----Original Message----- > > From: Rob Crittenden [mailto:[email protected]] > > Sent: 28 January 2016 04:49 > > To: Marat Vyshegorodtsev; Terry John; [email protected] > > Subject: Re: [Freeipa-users] FREAK Vulnerability > > > > Marat Vyshegorodtsev wrote: > >> My two cents: > >> > >> My "magic" string for NSS is like this (I had to move to Fedora 23 > >> from CentOS in order to get more recent NSS version though): > >> > >> NSSProtocol TLSv1.2 > >> NSSCipherSuite > >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae > >> s > >> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecds > >> a > >> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_2 > >> 5 > >> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecds > >> a > >> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 > > > > The -All is a syntax error (ignored). All ciphers are disabled by > default anyway. > > > > I'd suggest using the ticket already referenced as a starting point. > > > > /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what > is enabled by default in NSS (though again, everything is disabled by > mod_nss at startup). > > > > rob > > > >> > >> My cert is ECDSA private CA though. If you are interested, I can give > >> you my chef recipe snippets to configure it. > >> > >> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev > >> <[email protected]> wrote: > >>> My two cents: > >>> > >>> My "magic" string for NSS is like this (I had to move to Fedora 23 > >>> from CentOS in order to get more recent NSS version though): > >>> > >>> NSSProtocol TLSv1.2 > >>> NSSCipherSuite > >>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_a > >>> e > >>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ec > >>> d > >>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sh > >>> a > >>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ > >>> e > >>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256 > >>> > >>> My cert is ECDSA private CA though. If you are interested, I can > >>> give you my chef recipe snippets to configure it. > >>> > >>> Marat > >>> > >>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John > >>> <[email protected]> wrote: > >>>>>> I've been trying to tidy the security on my FreeIPA and this is > >>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner > >>>>>> and it is coming up with this issue > >>>>>> > >>>>>> EXPORT_RSA cipher suites supported by the remote server: > >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) > >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003) > >>>>>> > >>>>>> It seems we have to disable export TLS ciphers but I can't see > how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and > TLSV1.0. > >>>>> > >>>>>> NSSCipherSuite -all,-exp,+<the ones I want> > >>>>>> > >>>>>> I've restarted httpd and ipa but it still fails > >>>>>> > >>>>>> Is there something I have overlooked > >>>> > >>>> > >>>>> Hi Terry, > >>>>> > >>>>> Please check > >>>>> https://fedorahosted.org/freeipa/ticket/5589 > >>>>> > >>>>> We are trying to come up with a better cipher suite right now. The > fix should be in some of the next FreeIPA 4.3.x versions. > >>>>> > >>>>> The ticket has more details in it. > >>>> > >>>> Thanks for the info. I have tried nearly all the NSSCipherSuite > settings in that ticket but none so far has eliminated the FREAK report. > >>>> Christian thanks for the heads up on the syntax, I wasn't sure of > >>>> what I was doing > >>>> > >>>> Each time I've made a change I've run an sslscan from the OpenVAS > scanner and I do get a different result each time but the errors still > remains in OpenVAS. > >>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd. > >>>> > >>>> Back to the drawing board :-) > >>>> > >>>> > >>>> > >>>> > >>>> The Manheim group of companies within the UK comprises: Manheim > Europe Limited (registered number: 03183918), Manheim Auctions Limited > (registered number: 00448761), Manheim Retail Services Limited (registered > number: 02838588), Motors.co.uk Limited (registered number: 05975777), > Real Time Communications Limited (registered number: 04277845) and Complete > Automotive Solutions Limited (registered number: 05302535). Each of these > companies is registered in England and Wales with the registered office > address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim > group of companies operates under various brand/trading names including > Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim > De-fleet and Manheim Aftersales Solutions. > >>>> > >>>> V:0CF72C13B2AC > >>>> > >>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
