That worked! I should have read the DS-389 documentation more carefully.
I had to set nsSSL3Ciphers to the following - modifyTimestamp: 20140915221826Z nsSSL3Ciphers: +all,-rsa_null_sha numSubordinates: 1 Ran the scan again, and no Null Ciphers detected. Cipher configuration documentation for DS-389 - http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html Thanks! -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Wednesday, October 08, 2014 11:49 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports Hi, I did a test with 1.2.11.15-33 first test: nsSSL3Ciphers: +all running nmap gave: 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0: | ciphers: | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong | SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_NULL_SHA - broken <<<<<<<<<<<<<< | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: broken next test: nsSSL3Ciphers: +all,-rsa_null_sha nmap result: 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.0: | ciphers: | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong | SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: weak maybe you can try adding "-rsa_null_sha" to your nSSL3cipher config. On 10/08/2014 09:10 AM, Murty, Ajeet (US - Arlington) wrote: > Understood. Thank you for clarifying all that. > I believe my best options at this point are to rebuild my environment on > CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x. > I will hold out for a few more weeks to see if someone at RedHat can provide > a fix/patch for the older version. Fingers crossed. > > > -----Original Message----- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Wednesday, October 08, 2014 2:01 AM > To: Murty, Ajeet (US - Arlington) > Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports > > On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >> Any ideas on what else I can try here? >> Also, can we expect the new IPA and DS to be available in the CentOS/YUM >> repository in the next few weeks/months? > In general, FreeIPA team doesn't do backports to older versions due to > tight cooperation with other components when introducing new features. > We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at > least, > but also in Samba and other components, including Linux kernel. > > Backporting all the changes to older releases of certain distributions > is left to distribution maintainers. For Fedora we do have some freedom > on what can be done and try to maintain availability of FreeIPA releases > on two current versions but sometimes it is impossible due to update > polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are > cleaning up Fedora 21 for 4.1 support. > > In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot > speak for the company) makes decisions what to support and these > decisions are also based on certain stability promises for ABI, see > https://access.redhat.com/solutions/5154 for details. Some of components > FreeIPA depends on change their ABI and therefore the changes can only > be introduced in newer major releases. When these changes occurred, we > coordinated with Red Hat engineering teams to make sure most important > changes were folded into RHEL 7.0 release to provide a base for FreeIPA > integration. > > For CentOS, as it tracks corresponding Red Hat Enterprise Linux > releases, situation is similar. For packages that are not in RHEL/CentOS > releases there are means to provide them through a side channels, like > EPEL, but EPEL's policy prevents from packaging something that is > available through the main channels for the release. > > We use COPR repositories to make possible to install newer FreeIPA > versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no > official support from Red Hat or CentOS project. They are FreeIPA > upstream effort to make our releases more easily testable. For any issues > found through COPR repositories you are welcome to file tickets to > FreeIPA issue tracker at https://fedorahosted.org/freeipa/. > > >> Thanks again for all your help. >> >> >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US - >> Arlington) >> Sent: Tuesday, October 07, 2014 1:21 PM >> To: Alexander Bokovoy >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >> >> I removed the new lines, looks like this now - >> >> modifyTimestamp: 20140915221826Z >> nsSSL3Ciphers: >> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >> a_export1024_with_des_cbc_sha >> numSubordinates: 1 >> >> I am still seeing the null ciphers in my scan results. >> >> >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:aboko...@redhat.com] >> Sent: Tuesday, October 07, 2014 1:08 PM >> To: Murty, Ajeet (US - Arlington) >> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >> >> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>> I shutdown IPA and modified both dse ldif files to look like this - >>> >>> nsSSL3Ciphers: >>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >>> >>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>> >>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >>> a_export1024_with_des_cbc_sha >>> >>> >>> Then, when I try to start up IPA, I get this error message - >>> >>> [root]# /etc/init.d/ipa start >>> Starting Directory Service >>> Starting dirsrv: >>> EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - >>> str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the >>> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be >>> parsed >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >> The lines above suggest that you actually separated nsSSL3Ciphers line > >from the entry itself. At least in my case it looks like this: >> dn: cn=encryption,cn=config >> objectClass: top >> objectClass: nsEncryptionConfig >> cn: encryption >> nsSSLSessionTimeout: 0 >> nsSSLClientAuth: allowed >> nsSSL2: off >> nsSSL3: off >> creatorsName: cn=server,cn=plugins,cn=config >> modifiersName: cn=directory manager >> createTimestamp: 20141001151245Z >> modifyTimestamp: 20141001151430Z >> nsSSL3Ciphers: +all >> allowWeakCipher: off >> numSubordinates: 1 >> >> note that it is part of cn=encryption,cn=config entry. You cannot >> separate attributes within the entry with empty lines because empty line >> finishes current entry and starts another one. >> >>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the >>> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be >>> parsed >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >>> (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >>> [nsSSL3Ciphers: >>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >>> >>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>> >>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >>> a_export1024_with ...] >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >>> (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed. >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >>> [numSubordinates: 1] >>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file >>> [dse.ldif] >>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct >>> the reported problems and then restart the server. >>> >>> [FAILED] >>> PKI-IPA...[07/Oct/2014:12:49:59 -0400] - >>> str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the >>> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be >>> parsed >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the >>> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be >>> parsed >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >>> (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >>> [nsSSL3Ciphers: >>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, >>> >>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo >>> >>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs >>> a_export1024_with ...] >>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry >>> (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed. >>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section >>> [numSubordinates: 1] >>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file >>> [dse.ldif] >>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct >>> the reported problems and then restart the server. >>> >>> [FAILED] >>> >>> >>> >>> >>> >>> >>> >>> This message (including any attachments) contains confidential information >>> intended for a specific individual and purpose, and is protected by law. If >>> you are not the intended recipient, you should delete this message and any >>> disclosure, copying, or distribution of this message, or the taking of any >>> action based on it, by you is strictly prohibited. >>> >>> v.E.1 >>> >>> >>> -----Original Message----- >>> From: Alexander Bokovoy [mailto:aboko...@redhat.com] >>> Sent: Tuesday, October 07, 2014 12:43 PM >>> To: Murty, Ajeet (US - Arlington) >>> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports >>> >>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote: >>>> I was shutting down IPA before making any changes - >>>> >>>> 1. Shutdown IPA - >>>> >>>> [root]# /etc/init.d/ipa stop >>>> Stopping CA Service >>>> Stopping pki-ca: [ OK ] >>>> Stopping HTTP Service >>>> Stopping httpd: [ OK ] >>>> Stopping MEMCACHE Service >>>> Stopping ipa_memcached: [ OK ] >>>> Stopping KPASSWD Service >>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>> Stopping KDC Service >>>> Stopping Kerberos 5 KDC: [ OK ] >>>> Stopping Directory Service >>>> Shutting down dirsrv: >>>> EXAMPLE-COM... [ OK ] >>>> PKI-IPA... [ OK ] >>>> >>>> 2. Edit 'dse.ldif' files to remove null ciphers - >>>> >>>> nsSSL3Ciphers: >>>> +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+ >>>> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128 >>>> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha >>>> numSubordinates: 1 >>> I think Ludwig gave a good suggestion -- instead of removing them from >>> the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, >>> -fortezza_null. >>> The way nsSSL3Ciphers attribute works, is by modifying default NSS >>> ciphers list, with + and - to add and remove the ciphers accordingly. >>> >>> -- >>> / Alexander Bokovoy >> -- >> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project