[Freeipa-devel] FreeIPA and modern requirements on certificates
Christian Heimes
cheimes at redhat.com
Fri Jan 8 13:24:26 UTC 2016
On 2016-01-08 13:26, Martin Kosek wrote:
> Hi Fraser and other X.509 SMEs,
>
> I wanted to check with you on what we have or plan to have with respect to
> certificate/cipher strength in FreeIPA.
>
> When I visit the FreeIPA public demo for example, I usually see following
> errors with recent browsers:
>
> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher
> suite.
> - The connection uses TLS 1.2
> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message
> authentication and RSA as the key exchange mechanism
>
> I usually do not see the common
> * Certificate chain contains a certificate signed with SHA-1
> error, but I am not sure if we are covered for this one.
>
>
> When I tested the FreeIPA demo with
> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org
> (and ignore the trust issues), we get the mark B with following warnings:
>
> * This server accepts RC4 cipher, but only with older protocol versions. Grade
> capped to B.
>
> * The server does not support Forward Secrecy with the reference browsers.
>
>
> What do we miss to turn out Grade A, which is obviously something expected from
> security solution like FreeIPA? Is it just about ECC support
> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our
> default certificate profiles?
The cert has another issue. It relies on Subject CN for host name
verification. This feature has been deprecated by RFC 2818 more than a
decade ago. Instead of Subject CN modern certs should use dNSName in
SubjectAltName x509v3 extension.
https://fedorahosted.org/pki/ticket/1464
https://github.com/shazow/urllib3/issues/497
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160108/f7d18643/attachment.sig>
More information about the Freeipa-devel
mailing list