I've tried both parameters
.. sslProtocols = "TLSv1.2,TLSv1.1,TLSv1"
.. sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
and I receive the same results. I'm able to connect with openssl s_client
connect ipa001.local:9443 -ssl3. I've even specifically disabled the cipher
that is negotiated in the connection, but it doesn't appear that what I'm
trying works.
ssl3Ciphers="-DHE-RSA-AES256-SHA"
# openssl s_client -connect en3021s.dev.ca1.sfmc.co:9443 -ssl3
...
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2763 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
...
I've even tried setting JAVA_HOME in /etc/pki-cad/tomcat6.conf to my
openjdk7 install, thinking that maybe it was a java thing, but the same
issue arises. I'm out of ideas, other than to try to upgrade to a newer
version of freeipa server, and subsequently tomcat, which is a task I'm not
looking forward to.
Terry
On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote:
> > On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via
> > FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
> >>
> >> On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
> >>> We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS
> >>> repository). I am having trouble disabling SSL3 and RC4 ciphers on port
> >>> 9443 (pki-cad)
> >>>
> >>> ipa-server-3.0.0
> >>> tomcat6-6.0.24
> >>>
> >>> I've been modifying /etc/pki-ca/server.xml with little success. What am
> >>> I missing? I've been banging my head on this for the past week.
> >>>
> >>> <Connector name="Agent" port="9443" protocol="HTTP/1.1"
> >>> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> >>
> >> I believe the correct parameter name is sslProtocols="...", not
> >> sslEnabledProtocols, in this version of tomcat.
> >> flo
> >>
> >
> > If we take a look at the latest
> > (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it
> > says sslEnabledProtocols is an alias to the protocols entry in
> > SSLHostConfig (
> https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig
> ),
> Hi,
> Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24.
> https://access.redhat.com/solutions/1232233 mentions that for this
> version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be
> used. For Tomcat 6 (6.0.38 and later) and 7,
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used.
>
> flo
> > which specifically lists
> >
> > SSLv2Hello
> > SSLv3
> > TLSv1
> > TLSv1.1
> > TLSv1.2
> > TLSv1.3
> > all
> >
> > as valid entries. I will agree that the explanation of sslProtocol is
> > kinda confusing because it kinda implies it is "the protocol(s) to
> > use," with TLS as the default. Maybe the subtle difference is that
> > sslEnabledProtocols is the list of "protocols to support when
> > *communicating with clients*" the latter part is what differentiates
> > it. In any case, in my ancient notes I seem to explicitly define both
> > (was the order in sslEnabledProtocols important?):
> >
> > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> > maxThreads="150" scheme="https" secure="true"
> > keystoreFile="/usr/share/tomcat/keystore"
> > keystorePass="password1" keyAlias="tomcat"
> > clientAuth="false"
> > sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > />
> >
> >
> >>> scheme="https" secure="true"
> >>> maxHttpHeaderSize="8192"
> >>> acceptCount="100" maxThreads="150"
> minSpareThreads="25"
> >>> maxSpareThreads="75"
> >>> enableLookups="false" disableUploadTimeout="true"
> >>>
> >>> SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
> >>> enableOCSP="false"
> >>> ocspResponderURL="http://ipa001.local:9080/ca/ocsp";
> >>> ocspResponderCertNickname="ocspSigningCert
> cert-pki-ca"
> >>> ocspCacheSize="1000"
> >>> ocspMinCacheEntryDuration="60"
> >>> ocspMaxCacheEntryDuration="120"
> >>> ocspTimeout="10"
> >>> clientAuth="true"
> >>> sslOptions="ssl2=false,ssl3=false,tls=true"
> >>>
> >>>
> tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA"
> >>> sslVersionRangeStream="tls1_1:tls1_2"
> >>> sslVersionRangeDatagram="tls1_1:tls1_2"
> >>>
> >>>
> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
> >>>
> >>>
> >>> serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
> >>> passwordFile="/var/lib/pki-ca/conf/password.conf"
> >>>
> >>> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
> >>> certdbDir="/var/lib/pki-ca/alias"
> >>> />
> >>>
> >>> --
> >>> Terry Soucy
> >>> Systems Engineering Lead | Salesforce
> >>> Mobile: +1.506.609.3247
> >>>
> >>>
> >>> <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
> >>>
> >>> _______________________________________________
> >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> >>> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >>>
> >>
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> >> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
--
Terry Soucy
Systems Engineering Lead | Salesforce
Mobile: +1.506.609.3247
<http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
