[Freeipa-users] IPA vulnerability management SSL
Sean Hogan
schogan at us.ibm.com
Wed Apr 27 17:53:22 UTC 2016
Hi Alex,
Just wanted to make sure.. needed to know if I had to upgrade or spend
more time trial and erroring this out.
So since my nmap is showing this
[bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636
`hostname`
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT
Nmap scan report for
Host is up (0.000090s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS
actually names this to be and it looks like these have to be removed
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha
tls_dhe_dss_1024_rc4_sha
tls_rsa_export1024_with_rc4_56_sh
I stopped IPA with ipactl stop
modified dse.ldif with this
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
allowweakcipher: off
numSubordinates: 1
Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname`
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT
Nmap scan report for
Host is up (0.000078s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Am I doing something wrong here?
Sean Hogan
From: Alexander Bokovoy <abokovoy at redhat.com>
To: Sean Hogan/Durham/IBM at IBMUS
Cc: freeipa-users <freeipa-users at redhat.com>
Date: 04/27/2016 10:35 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
On Wed, 27 Apr 2016, Sean Hogan wrote:
>
>Hello Alexander
>
>
>I knew the below which is why I added my DS rpm version in the orig email
>which made sense to me but per 389 DS docs alloowweakcipher starts in
>1.3.3.2 in case anyone else reads this. At least thats what the docs say
>but you may know something where it actually does not work til 1.3.4.0. I
>dunno
>
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
>
>
>Additionally I want to clarify the comment 4.3.1 has this as default
setup.
>Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
>stronger ssl config and that anyone who needs tighter cipher control needs
>to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.
If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.
Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/49639a93/attachment-0001.gif>
More information about the Freeipa-users
mailing list