Hi Alex, Just wanted to make sure.. needed to know if I had to upgrade or spend more time trial and erroring this out.
So since my nmap is showing this [bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT Nmap scan report for Host is up (0.000090s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS actually names this to be and it looks like these have to be removed TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha tls_dhe_dss_1024_rc4_sha tls_rsa_export1024_with_rc4_56_sh I stopped IPA with ipactl stop modified dse.ldif with this nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha allowweakcipher: off numSubordinates: 1 Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA bob@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT Nmap scan report for Host is up (0.000078s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds Am I doing something wrong here? Sean Hogan From: Alexander Bokovoy <aboko...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 10:35 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On Wed, 27 Apr 2016, Sean Hogan wrote: > >Hello Alexander > > >I knew the below which is why I added my DS rpm version in the orig email >which made sense to me but per 389 DS docs alloowweakcipher starts in >1.3.3.2 in case anyone else reads this. At least thats what the docs say >but you may know something where it actually does not work til 1.3.4.0. I >dunno > http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html > > >Additionally I want to clarify the comment 4.3.1 has this as default setup. >Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a >stronger ssl config and that anyone who needs tighter cipher control needs >to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7 All I said is that we fixed this particular issue to make sure defaults in 4.3.1 reflect current status quo on SSL ciphers. If you want to have a similar setup with 3.0.47, you are welcome to improve the configuration based on the effort we did for 4.3.1. Notice that I said nothing about incapability of either deployment to handle this, not sure where you were able to read that from. -- / Alexander Bokovoy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
