On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
> > We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS
> > repository). I am having trouble disabling SSL3 and RC4 ciphers on port
> > 9443 (pki-cad)
> >
> > ipa-server-3.0.0
> > tomcat6-6.0.24
> >
> > I've been modifying /etc/pki-ca/server.xml with little success. What am
> > I missing? I've been banging my head on this for the past week.
> >
> > <Connector name="Agent" port="9443" protocol="HTTP/1.1"
> > SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>
> I believe the correct parameter name is sslProtocols="...", not
> sslEnabledProtocols, in this version of tomcat.
> flo
>
If we take a look at the latest
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it
says sslEnabledProtocols is an alias to the protocols entry in
SSLHostConfig
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig),
which specifically lists
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
all
as valid entries. I will agree that the explanation of sslProtocol is
kinda confusing because it kinda implies it is "the protocol(s) to
use," with TLS as the default. Maybe the subtle difference is that
sslEnabledProtocols is the list of "protocols to support when
*communicating with clients*" the latter part is what differentiates
it. In any case, in my ancient notes I seem to explicitly define both
(was the order in sslEnabledProtocols important?):
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/usr/share/tomcat/keystore"
keystorePass="password1" keyAlias="tomcat"
clientAuth="false"
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
/>
> > scheme="https" secure="true"
> > maxHttpHeaderSize="8192"
> > acceptCount="100" maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false" disableUploadTimeout="true"
> >
> > SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
> > enableOCSP="false"
> > ocspResponderURL="http://ipa001.local:9080/ca/ocsp";
> > ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> > ocspCacheSize="1000"
> > ocspMinCacheEntryDuration="60"
> > ocspMaxCacheEntryDuration="120"
> > ocspTimeout="10"
> > clientAuth="true"
> > sslOptions="ssl2=false,ssl3=false,tls=true"
> >
> > tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA"
> > sslVersionRangeStream="tls1_1:tls1_2"
> > sslVersionRangeDatagram="tls1_1:tls1_2"
> >
> >
> > sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
> >
> >
> > serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
> > passwordFile="/var/lib/pki-ca/conf/password.conf"
> >
> > passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
> > certdbDir="/var/lib/pki-ca/alias"
> > />
> >
> > --
> > Terry Soucy
> > Systems Engineering Lead | Salesforce
> > Mobile: +1.506.609.3247
> >
> >
> > <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
