That worked!
I should have read the DS-389 documentation more carefully.
I had to set nsSSL3Ciphers to the following -
modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: +all,-rsa_null_sha
numSubordinates: 1
Ran the scan again, and no Null Ciphers detected.
Cipher configuration documentation for DS-389 -
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
Thanks!
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Wednesday, October 08, 2014 11:49 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Hi,
I did a test with 1.2.11.15-33
first test:
nsSSL3Ciphers: +all
running nmap gave:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_NULL_SHA - broken <<<<<<<<<<<<<<
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: broken
next test:
nsSSL3Ciphers: +all,-rsa_null_sha
nmap result:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: weak
maybe you can try adding "-rsa_null_sha" to your nSSL3cipher config.
On 10/08/2014 09:10 AM, Murty, Ajeet (US - Arlington) wrote:
> Understood. Thank you for clarifying all that.
> I believe my best options at this point are to rebuild my environment on
> CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x.
> I will hold out for a few more weeks to see if someone at RedHat can provide
> a fix/patch for the older version. Fingers crossed.
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Wednesday, October 08, 2014 2:01 AM
> To: Murty, Ajeet (US - Arlington)
> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
> On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>> Any ideas on what else I can try here?
>> Also, can we expect the new IPA and DS to be available in the CentOS/YUM
>> repository in the next few weeks/months?
> In general, FreeIPA team doesn't do backports to older versions due to
> tight cooperation with other components when introducing new features.
> We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at
> least,
> but also in Samba and other components, including Linux kernel.
>
> Backporting all the changes to older releases of certain distributions
> is left to distribution maintainers. For Fedora we do have some freedom
> on what can be done and try to maintain availability of FreeIPA releases
> on two current versions but sometimes it is impossible due to update
> polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are
> cleaning up Fedora 21 for 4.1 support.
>
> In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot
> speak for the company) makes decisions what to support and these
> decisions are also based on certain stability promises for ABI, see
> https://access.redhat.com/solutions/5154 for details. Some of components
> FreeIPA depends on change their ABI and therefore the changes can only
> be introduced in newer major releases. When these changes occurred, we
> coordinated with Red Hat engineering teams to make sure most important
> changes were folded into RHEL 7.0 release to provide a base for FreeIPA
> integration.
>
> For CentOS, as it tracks corresponding Red Hat Enterprise Linux
> releases, situation is similar. For packages that are not in RHEL/CentOS
> releases there are means to provide them through a side channels, like
> EPEL, but EPEL's policy prevents from packaging something that is
> available through the main channels for the release.
>
> We use COPR repositories to make possible to install newer FreeIPA
> versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no
> official support from Red Hat or CentOS project. They are FreeIPA
> upstream effort to make our releases more easily testable. For any issues
> found through COPR repositories you are welcome to file tickets to
> FreeIPA issue tracker at https://fedorahosted.org/freeipa/.
>
>
>> Thanks again for all your help.
>>
>>
>> -----Original Message-----
>> From: freeipa-users-boun...@redhat.com
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Murty, Ajeet (US -
>> Arlington)
>> Sent: Tuesday, October 07, 2014 1:21 PM
>> To: Alexander Bokovoy
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> I removed the new lines, looks like this now -
>>
>> modifyTimestamp: 20140915221826Z
>> nsSSL3Ciphers:
>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>> a_export1024_with_des_cbc_sha
>> numSubordinates: 1
>>
>> I am still seeing the null ciphers in my scan results.
>>
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>> Sent: Tuesday, October 07, 2014 1:08 PM
>> To: Murty, Ajeet (US - Arlington)
>> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>> I shutdown IPA and modified both dse ldif files to look like this -
>>>
>>> nsSSL3Ciphers:
>>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>>
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>>
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>>
>>> Then, when I try to start up IPA, I get this error message -
>>>
>>> [root]# /etc/init.d/ipa start
>>> Starting Directory Service
>>> Starting dirsrv:
>>> EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] -
>>> str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the
>>> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be
>>> parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>> The lines above suggest that you actually separated nsSSL3Ciphers line
> >from the entry itself. At least in my case it looks like this:
>> dn: cn=encryption,cn=config
>> objectClass: top
>> objectClass: nsEncryptionConfig
>> cn: encryption
>> nsSSLSessionTimeout: 0
>> nsSSLClientAuth: allowed
>> nsSSL2: off
>> nsSSL3: off
>> creatorsName: cn=server,cn=plugins,cn=config
>> modifiersName: cn=directory manager
>> createTimestamp: 20141001151245Z
>> modifyTimestamp: 20141001151430Z
>> nsSSL3Ciphers: +all
>> allowWeakCipher: off
>> numSubordinates: 1
>>
>> note that it is part of cn=encryption,cn=config entry. You cannot
>> separate attributes within the entry with empty lines because empty line
>> finishes current entry and starts another one.
>>
>>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the
>>> configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be
>>> parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry
>>> (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
>>> [nsSSL3Ciphers:
>>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>>
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>>
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with ...]
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry
>>> (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
>>> [numSubordinates: 1]
>>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file
>>> [dse.ldif]
>>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct
>>> the reported problems and then restart the server.
>>>
>>> [FAILED]
>>> PKI-IPA...[07/Oct/2014:12:49:59 -0400] -
>>> str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the
>>> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be
>>> parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the
>>> configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be
>>> parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry
>>> (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
>>> [nsSSL3Ciphers:
>>> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>>
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>>
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with ...]
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry
>>> (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section
>>> [numSubordinates: 1]
>>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file
>>> [dse.ldif]
>>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct
>>> the reported problems and then restart the server.
>>>
>>> [FAILED]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> This message (including any attachments) contains confidential information
>>> intended for a specific individual and purpose, and is protected by law. If
>>> you are not the intended recipient, you should delete this message and any
>>> disclosure, copying, or distribution of this message, or the taking of any
>>> action based on it, by you is strictly prohibited.
>>>
>>> v.E.1
>>>
>>>
>>> -----Original Message-----
>>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>>> Sent: Tuesday, October 07, 2014 12:43 PM
>>> To: Murty, Ajeet (US - Arlington)
>>> Cc: Rob Crittenden; Rich Megginson; freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>>
>>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>>> I was shutting down IPA before making any changes -
>>>>
>>>> 1. Shutdown IPA -
>>>>
>>>> [root]# /etc/init.d/ipa stop
>>>> Stopping CA Service
>>>> Stopping pki-ca: [ OK ]
>>>> Stopping HTTP Service
>>>> Stopping httpd: [ OK ]
>>>> Stopping MEMCACHE Service
>>>> Stopping ipa_memcached: [ OK ]
>>>> Stopping KPASSWD Service
>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>> Stopping KDC Service
>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>> Stopping Directory Service
>>>> Shutting down dirsrv:
>>>> EXAMPLE-COM... [ OK ]
>>>> PKI-IPA... [ OK ]
>>>>
>>>> 2. Edit 'dse.ldif' files to remove null ciphers -
>>>>
>>>> nsSSL3Ciphers:
>>>> +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
>>>> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
>>>> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>>> numSubordinates: 1
>>> I think Ludwig gave a good suggestion -- instead of removing them from
>>> the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5,
>>> -fortezza_null.
>>> The way nsSSL3Ciphers attribute works, is by modifying default NSS
>>> ciphers list, with + and - to add and remove the ciphers accordingly.
>>>
>>> --
>>> / Alexander Bokovoy
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
