For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0 Directory server change suggested on the link are for an older version. Minimum TLS support can be altered as follows:
*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif* dn: cn=encryption,cn=config allowWeakCipher: off cn: encryption createTimestamp: 20161130110528Z creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=Directory Manager modifyTimestamp: 20161213085006Z nsSSLClientAuth: allowed nsSSLSessionTimeout: 0 nsSSL3Ciphers: default objectClass: top objectClass: nsEncryptionConfig sslVersionMin: TLS1.2 I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in /usr/share/pki/server/conf/server.xml seems to roughly match the linked article however its all tokenized as shown below: 203 sslOptions="[TOMCAT_SSL_OPTIONS]" 204 ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" 205 ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" 206 tlsCiphers="[TOMCAT_TLS_CIPHERS]" 207 sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" 208 sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" 209 sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" I'll feed back if i work it out. Thanks, On Thu, Apr 27, 2017 at 8:22 PM Callum Guy <[email protected]> wrote: > Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if > i run into any issues - i find it difficult to locate these help pages so > really do appreciate the advice > > On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <[email protected]> > wrote: > >> Callum Guy wrote: >> > Hi All, >> > >> > I'm currently looking at hardening my FreeIPA server as part of a PCI >> > assessment. >> > >> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use >> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is >> > non-compliant for my environment. >> > >> > Also i'm very much hoping not to break my installation! >> > >> > Does anyone have experience in this area? >> >> It depends very much on what version you are running but see >> https://access.redhat.com/articles/2801181 for inspiration. >> >> rob >> >> -- *0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | ** <https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
