[Freeipa-users] IPA vulnerability management SSL

Sean Hogan schogan at us.ibm.com
Wed Apr 27 17:53:22 UTC 2016 

Hi Alex,

   Just wanted to make sure.. needed to know if I had to upgrade or spend
more time trial and erroring this out.

So since my nmap is showing this
[bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636
`hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT
Nmap scan report for
Host is up (0.000090s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (13)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       SSL_RSA_FIPS_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds


I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS
actually names this to be and it looks like these have to be removed
                                                                          
 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA     rsa_rc4_56_sha                    
                                                                          
                                        tls_dhe_dss_1024_rc4_sha          
                                                                          
                                        tls_rsa_export1024_with_rc4_56_sh 
                                                                          
                                                                          
                                                                          
 I stopped IPA with ipactl stop                                           
 modified dse.ldif with this                                              
                                                                          
                                                                          


nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
 _56_sha,-tls_dhe_dss_1024_rc4_sha
allowweakcipher: off
numSubordinates: 1

Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT
Nmap scan report for
Host is up (0.000078s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (13)
|       SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|       SSL_RSA_FIPS_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
|       TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|       TLS_RSA_WITH_DES_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Am I doing something wrong here?



Sean Hogan







From:	Alexander Bokovoy <abokovoy at redhat.com>
To:	Sean Hogan/Durham/IBM at IBMUS
Cc:	freeipa-users <freeipa-users at redhat.com>
Date:	04/27/2016 10:35 AM
Subject:	Re: [Freeipa-users] IPA vulnerability management SSL



On Wed, 27 Apr 2016, Sean Hogan wrote:
>
>Hello Alexander
>
>
>I knew the below which is why I added my DS rpm version in the orig email
>which made sense to me but per 389 DS docs alloowweakcipher starts in
>1.3.3.2 in case anyone else reads this.  At least thats what the docs say
>but you may know something where it actually does not work til 1.3.4.0.  I
>dunno
>
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
>
>
>Additionally I want to clarify the comment 4.3.1 has this as default
setup.
>Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
>stronger ssl config and that anyone who needs tighter cipher control needs
>to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment-0001.gif>

More information about the Freeipa-users mailing list