Done. 'Bug 1150368 -Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif '
https://bugzilla.redhat.com/show_bug.cgi?id=1150368 Thanks. -----Original Message----- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, October 08, 2014 12:37 AM To: Murty, Ajeet (US - Arlington); Alexander Bokovoy; Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports On 10/07/2014 10:15 PM, Murty, Ajeet (US - Arlington) wrote: > Any ideas on what else I can try here? Please file a ticket. > Also, can we expect the new IPA and DS to be available in the CentOS/YUM > repository in the next few weeks/months? > > Thanks again for all your help. > > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - > Arlington) > Sent: Tuesday, October 07, 2014 1:21 PM > To: Alexander Bokovoy > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > > I removed the new lines, looks like this now - > > modifyTimestamp: 20140915221826Z > nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo > > rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs > a_export1024_with_des_cbc_sha > numSubordinates: 1 > > I am still seeing the null ciphers in my scan results. > > > > -----Original Message----- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Tuesday, October 07, 2014 1:08 PM > To: Murty, Ajeet (US - Arlington) > Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > > On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >> I shutdown IPA and modified both dse ldif files to look like this - >> >> nsSSL3Ciphers: >> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> >> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with_des_cbc_sha >> >> >> Then, when I try to start up IPA, I get this error message - >> >> [root]# /etc/init.d/ipa start >> Starting Directory Service >> Starting dirsrv: >> EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - >> str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the >> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be >> parsed >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn > The lines above suggest that you actually separated nsSSL3Ciphers line > from the entry itself. At least in my case it looks like this: > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20141001151245Z > modifyTimestamp: 20141001151430Z > nsSSL3Ciphers: +all > allowWeakCipher: off > numSubordinates: 1 > > note that it is part of cn=encryption,cn=config entry. You cannot > separate attributes within the entry with empty lines because empty line > finishes current entry and starts another one. > >> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the >> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be >> parsed >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >> (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >> [nsSSL3Ciphers: >> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> >> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with ...] >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >> (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >> [numSubordinates: 1] >> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file >> [dse.ldif] >> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct >> the reported problems and then restart the server. >> >> [FAILED] >> PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: >> entry has no dn >> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the >> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be >> parsed >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the >> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be >> parsed >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >> (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >> [nsSSL3Ciphers: >> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> >> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with ...] >> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >> (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. >> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >> [numSubordinates: 1] >> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file >> [dse.ldif] >> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct >> the reported problems and then restart the server. >> >> [FAILED] >> >> >> >> >> >> >> >> This message (including any attachments) contains confidential information >> intended for a specific individual and purpose, and is protected by law. If >> you are not the intended recipient, you should delete this message and any >> disclosure, copying, or distribution of this message, or the taking of any >> action based on it, by you is strictly prohibited. >> >> v.E.1 >> >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:aboko...@redhat.com] >> Sent: Tuesday, October 07, 2014 12:43 PM >> To: Murty, Ajeet (US - Arlington) >> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >> >> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>> I was shutting down IPA before making any changes - >>> >>> 1. Shutdown IPA - >>> >>> [root]# /etc/init.d/ipa stop >>> Stopping CA Service >>> Stopping pki-ca: [ OK ] >>> Stopping HTTP Service >>> Stopping httpd: [ OK ] >>> Stopping MEMCACHE Service >>> Stopping ipa_memcached: [ OK ] >>> Stopping KPASSWD Service >>> Stopping Kerberos 5 Admin Server: [ OK ] >>> Stopping KDC Service >>> Stopping Kerberos 5 KDC: [ OK ] >>> Stopping Directory Service >>> Shutting down dirsrv: >>> EXAMPLE-COM... [ OK ] >>> PKI-IPA... [ OK ] >>> >>> 2. Edit 'dse.ldif' files to remove null ciphers - >>> >>> nsSSL3Ciphers: >>> +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ >>> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 >>> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>> numSubordinates: 1 >> I think Ludwig gave a good suggestion -- instead of removing them from >> the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, >> -fortezza_null. >> The way nsSSL3Ciphers attribute works, is by modifying default NSS >> ciphers list, with + and - to add and remove the ciphers accordingly. >> >> -- >> / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project