[Freeipa-devel] FreeIPA and modern requirements on certificates
Martin Kosek
mkosek at redhat.com
Fri Jan 8 12:26:57 UTC 2016
Hi Fraser and other X.509 SMEs,
I wanted to check with you on what we have or plan to have with respect to
certificate/cipher strength in FreeIPA.
When I visit the FreeIPA public demo for example, I usually see following
errors with recent browsers:
* Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher
suite.
- The connection uses TLS 1.2
- The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message
authentication and RSA as the key exchange mechanism
I usually do not see the common
* Certificate chain contains a certificate signed with SHA-1
error, but I am not sure if we are covered for this one.
When I tested the FreeIPA demo with
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org
(and ignore the trust issues), we get the mark B with following warnings:
* This server accepts RC4 cipher, but only with older protocol versions. Grade
capped to B.
* The server does not support Forward Secrecy with the reference browsers.
What do we miss to turn out Grade A, which is obviously something expected from
security solution like FreeIPA? Is it just about ECC support
(https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our
default certificate profiles?
Thanks!
--
Martin Kosek <mkosek at redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
More information about the Freeipa-devel
mailing list