On 1/14/20 12:54 PM, Terry Soucy via FreeIPA-users wrote:
I've tried both parameters
.. sslProtocols = "TLSv1.2,TLSv1.1,TLSv1"
.. sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
and I receive the same results. I'm able to connect with openssl
s_client connect ipa001.local:9443 -ssl3. I've even specifically
disabled the cipher that is negotiated in the connection, but it doesn't
appear that what I'm trying works.
In my conf I also have strictCiphers="true" and it seems to make a
difference. See
https://www.dogtagpki.org/wiki/Tomcat_JSS_7.3_Configuration which says:
-----8<-----
strictCiphers:
This parameter determines whether to disable the NSS default
ciphers. If it's set to true, the NSS default ciphers will be disabled,
and only the ciphers specified in sslRangeCiphers will be enabled. If
it's set to false, the NSS default ciphers will remain enabled in
addition to the ciphers specified in sslRangeCiphers. By default it's false.
----->8-----
Don't forget to restart pki after you edit server.xml
flo
ssl3Ciphers="-DHE-RSA-AES256-SHA"
# openssl s_client -connect en3021s.dev.ca1.sfmc.co:9443
<http://en3021s.dev.ca1.sfmc.co:9443> -ssl3
...
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2763 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
...
I've even tried setting JAVA_HOME in /etc/pki-cad/tomcat6.conf to my
openjdk7 install, thinking that maybe it was a java thing, but the same
issue arises. I'm out of ideas, other than to try to upgrade to a newer
version of freeipa server, and subsequently tomcat, which is a task I'm
not looking forward to.
Terry
On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote:
> On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via
> FreeIPA-users <freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
>>> We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS
>>> repository). I am having trouble disabling SSL3 and RC4 ciphers
on port
>>> 9443 (pki-cad)
>>>
>>> ipa-server-3.0.0
>>> tomcat6-6.0.24
>>>
>>> I've been modifying /etc/pki-ca/server.xml with little success.
What am
>>> I missing? I've been banging my head on this for the past week.
>>>
>>> <Connector name="Agent" port="9443" protocol="HTTP/1.1"
>>> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>
>> I believe the correct parameter name is sslProtocols="...", not
>> sslEnabledProtocols, in this version of tomcat.
>> flo
>>
>
> If we take a look at the latest
> (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it
> says sslEnabledProtocols is an alias to the protocols entry in
> SSLHostConfig
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig),
Hi,
Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24.
https://access.redhat.com/solutions/1232233 mentions that for this
version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be
used. For Tomcat 6 (6.0.38 and later) and 7,
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used.
flo
> which specifically lists
>
> SSLv2Hello
> SSLv3
> TLSv1
> TLSv1.1
> TLSv1.2
> TLSv1.3
> all
>
> as valid entries. I will agree that the explanation of sslProtocol is
> kinda confusing because it kinda implies it is "the protocol(s) to
> use," with TLS as the default. Maybe the subtle difference is that
> sslEnabledProtocols is the list of "protocols to support when
> *communicating with clients*" the latter part is what differentiates
> it. In any case, in my ancient notes I seem to explicitly define both
> (was the order in sslEnabledProtocols important?):
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="/usr/share/tomcat/keystore"
> keystorePass="password1" keyAlias="tomcat"
> clientAuth="false"
> sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> />
>
>
>>> scheme="https" secure="true"
>>> maxHttpHeaderSize="8192"
>>> acceptCount="100" maxThreads="150"
minSpareThreads="25"
>>> maxSpareThreads="75"
>>> enableLookups="false" disableUploadTimeout="true"
>>>
>>>
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
>>> enableOCSP="false"
>>>
ocspResponderURL="http://ipa001.local:9080/ca/ocsp";
>>> ocspResponderCertNickname="ocspSigningCert
cert-pki-ca"
>>> ocspCacheSize="1000"
>>> ocspMinCacheEntryDuration="60"
>>> ocspMaxCacheEntryDuration="120"
>>> ocspTimeout="10"
>>> clientAuth="true"
>>> sslOptions="ssl2=false,ssl3=false,tls=true"
>>>
>>>
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA"
>>> sslVersionRangeStream="tls1_1:tls1_2"
>>> sslVersionRangeDatagram="tls1_1:tls1_2"
>>>
>>>
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
>>>
>>>
>>> serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
>>> passwordFile="/var/lib/pki-ca/conf/password.conf"
>>>
>>> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
>>> certdbDir="/var/lib/pki-ca/alias"
>>> />
>>>
>>> --
>>> Terry Soucy
>>> Systems Engineering Lead | Salesforce
>>> Mobile: +1.506.609.3247
>>>
>>>
>>> <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
Terry Soucy
Systems Engineering Lead | Salesforce
Mobile: +1.506.609.3247
<http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
