On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote: > Security scan of FreeIPA server ports uncovered weak, medium and null > ciphers on port 389 and 636. We are running ‘ipa-server-3.0.0-37.el6.i686’. > > How can I disable/remove these ciphers in my existing setup?
This has recently been worked on in this 389-ds-base ticket: https://fedorahosted.org/389/ticket/47838 As mentioned in the initial description of that ticket, you can configure the allowed ciphers in the "cn=config" entry in 389-ds-base. You can edit this over LDAP, or by stopping 389-ds-base and editing /etc/dirsrv/slapd-<REALM>/dse.ldif. Thanks, -NGK > > > > Ciphers Discovered - > > TLSv1 > > EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA > Enc=RC2-CBC(40) Mac=MD5 export > > EXP-RC4-MD5 Kx=RSA(512) Au=RSA > Enc=RC4(40) Mac=MD5 export > > > > TLSv1 > > EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA > Enc=DES-CBC(56) Mac=SHA1 export > > EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA > Enc=RC4(56) Mac=SHA1 export > > DES-CBC-SHA Kx=RSA Au=RSA > Enc=DES-CBC(56) Mac=SHA1 > > > > TLSv1 > > NULL-SHA Kx=RSA Au=RSA > Enc=None Mac=SHA1 > > > > Thanks, > > Amb. > > > > > > > This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message and any disclosure, copying, or distribution of this > message, or the taking of any action based on it, by you is strictly > prohibited. > > v.E.1 > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project