I removed the new lines, looks like this now - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha numSubordinates: 1
I am still seeing the null ciphers in my scan results. -----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, October 07, 2014 1:08 PM To: Murty, Ajeet (US - Arlington) Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >I shutdown IPA and modified both dse ldif files to look like this - > > nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs > a_export1024_with_des_cbc_sha > > >Then, when I try to start up IPA, I get this error message - > > [root]# /etc/init.d/ipa start > Starting Directory Service > Starting dirsrv: > EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - > str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the > configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be > parsed > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn The lines above suggest that you actually separated nsSSL3Ciphers line from the entry itself. At least in my case it looks like this: dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20141001151245Z modifyTimestamp: 20141001151430Z nsSSL3Ciphers: +all allowWeakCipher: off numSubordinates: 1 note that it is part of cn=encryption,cn=config entry. You cannot separate attributes within the entry with empty lines because empty line finishes current entry and starts another one. > [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the > configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be > parsed > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry > (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section > [nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs > a_export1024_with ...] > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry > (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section > [numSubordinates: 1] > [07/Oct/2014:12:49:59 -0400] dse - Could not load config file > [dse.ldif] > [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > [FAILED] > PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: > entry has no dn > [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the > configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the > configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry > (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section > [nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs > a_export1024_with ...] > [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry > (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. > [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section > [numSubordinates: 1] > [07/Oct/2014:12:49:59 -0400] dse - Could not load config file > [dse.ldif] > [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > [FAILED] > > > > > > > >This message (including any attachments) contains confidential information >intended for a specific individual and purpose, and is protected by law. If >you are not the intended recipient, you should delete this message and any >disclosure, copying, or distribution of this message, or the taking of any >action based on it, by you is strictly prohibited. > >v.E.1 > > >-----Original Message----- >From: Alexander Bokovoy [mailto:aboko...@redhat.com] >Sent: Tuesday, October 07, 2014 12:43 PM >To: Murty, Ajeet (US - Arlington) >Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com >Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > >On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>I was shutting down IPA before making any changes - >> >>1. Shutdown IPA - >> >>[root]# /etc/init.d/ipa stop >>Stopping CA Service >>Stopping pki-ca: [ OK ] >>Stopping HTTP Service >>Stopping httpd: [ OK ] >>Stopping MEMCACHE Service >>Stopping ipa_memcached: [ OK ] >>Stopping KPASSWD Service >>Stopping Kerberos 5 Admin Server: [ OK ] >>Stopping KDC Service >>Stopping Kerberos 5 KDC: [ OK ] >>Stopping Directory Service >>Shutting down dirsrv: >> EXAMPLE-COM... [ OK ] >> PKI-IPA... [ OK ] >> >>2. Edit 'dse.ldif' files to remove null ciphers - >> >>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ >> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 >> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>numSubordinates: 1 >I think Ludwig gave a good suggestion -- instead of removing them from >the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null. >The way nsSSL3Ciphers attribute works, is by modifying default NSS >ciphers list, with + and - to add and remove the ciphers accordingly. > >-- >/ Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
