Murty, Ajeet (US - Arlington) wrote: > Sorry, messed up copy paste, here is the edited section - > > nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ > rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 > _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha > numSubordinates: 1 > > I double checked this time. No Null ciphers in dse.ldif files. > Still seeing the Null Cipher in scans. >
Are you shutting down the server(s) before modifying dse.ldif or are you doing the changes online using ldapmodify? 389-ds writes dse.ldif during shutdown so if you make changes while the server is up and then restart it those changes will be lost. rob > > > -----Original Message----- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Tuesday, October 07, 2014 6:13 AM > To: Murty, Ajeet (US - Arlington) > Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > > On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >> I edited both ldif files to remove fortezza_null. Looks like this now - >> >> nsSSL3Ciphers: >> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs > Here I can still see +fortezza_null. > >> a_export1024_with_des_cbc_sha >> >> Ran the scan again, still seeing Null Cipher - >> >> TLSv1 >> NULL-SHA Kx=RSA Au=RSA Enc=None >> Mac=SHA1 >> >> >> >> >> >> >> >> This message (including any attachments) contains confidential information >> intended for a specific individual and purpose, and is protected by law. If >> you are not the intended recipient, you should delete this message and any >> disclosure, copying, or distribution of this message, or the taking of any >> action based on it, by you is strictly prohibited. >> >> v.E.1 >> >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:aboko...@redhat.com] >> Sent: Tuesday, October 07, 2014 5:46 AM >> To: Murty, Ajeet (US - Arlington) >> Cc: Martin Kosek; Nathan Kinder; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >> >> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>> Hi Martin and Nathan, >>> >>> Thank you for providing that info. >>> Unfortunately, my IPA server is running on CentOS, and the latest IPA >>> version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'. >>> The latest version of 389-DS through YUM is - '389-ds-base.i686 >>> 1.2.11.15-34.el6_5 '. >>> >>> Nessus scan had detected this null cipher - >>> TLSv1 >>> NULL-SHA Kx=RSA Au=RSA Enc=None >>> Mac=SHA1 >>> >>> I found 2 'dse.ldif' files on disk - >>> /etc/dirsrv/slapd-PKI-IPA/dse.ldif >>> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif >>> >>> In each of them, I found this - >>> nsSSL3Ciphers: >>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >>> a_export1024_with_des_cbc_sha >>> >>> >>> So to disable null cipher, I removed 'rsa_null_md5' from that list - >>> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >>> a_export1024_with_des_cbc_sha >>> >>> I restarted the entire IPA stack, and ran the scan again, I am still seeing >>> that Null Cipher. >>> >>> Any ideas on how to resolve this? >> I can see also fortezza_null in the above list, maybe you are getting >> into that one? >> >>> >>> -----Original Message----- >>> From: Martin Kosek [mailto:mko...@redhat.com] >>> Sent: Tuesday, September 23, 2014 11:15 AM >>> To: Nathan Kinder; freeipa-users@redhat.com; Murty, Ajeet (US - Arlington) >>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >>> >>> On 09/22/2014 10:07 PM, Nathan Kinder wrote: >>>> >>>> >>>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote: >>>>> Security scan of FreeIPA server ports uncovered weak, medium and null >>>>> ciphers on port 389 and 636. We are running >>>>> 'ipa-server-3.0.0-37.el6.i686'. >>>>> >>>>> How can I disable/remove these ciphers in my existing setup? >>>> >>>> This has recently been worked on in this 389-ds-base ticket: >>>> >>>> https://fedorahosted.org/389/ticket/47838 >>>> >>>> As mentioned in the initial description of that ticket, you can >>>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base. >>>> You can edit this over LDAP, or by stopping 389-ds-base and editing >>>> /etc/dirsrv/slapd-<REALM>/dse.ldif. >>>> >>>> Thanks, >>>> -NGK >>> >>> You can also check the FreeIPA counterpart: >>> >>> https://fedorahosted.org/freeipa/ticket/4395 >>> >>> This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora >>> 21+), >>> we would very much welcome if you can verify that this setup works for you! >>> >>> Thanks, >>> Martin >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >> >> -- >> / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project