[Freeipa-devel] FreeIPA and modern requirements on certificates
Martin Kosek
mkosek at redhat.com
Fri Jan 8 13:36:57 UTC 2016
On 01/08/2016 02:24 PM, Christian Heimes wrote:
> On 2016-01-08 13:26, Martin Kosek wrote:
>> Hi Fraser and other X.509 SMEs,
>>
>> I wanted to check with you on what we have or plan to have with respect to
>> certificate/cipher strength in FreeIPA.
>>
>> When I visit the FreeIPA public demo for example, I usually see following
>> errors with recent browsers:
>>
>> * Your connection to ipa.demo1.freeipa.org is encrypted using obsolete cypher
>> suite.
>> - The connection uses TLS 1.2
>> - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1 for message
>> authentication and RSA as the key exchange mechanism
>>
>> I usually do not see the common
>> * Certificate chain contains a certificate signed with SHA-1
>> error, but I am not sure if we are covered for this one.
>>
>>
>> When I tested the FreeIPA demo with
>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org
>> (and ignore the trust issues), we get the mark B with following warnings:
>>
>> * This server accepts RC4 cipher, but only with older protocol versions. Grade
>> capped to B.
>>
>> * The server does not support Forward Secrecy with the reference browsers.
>>
>>
>> What do we miss to turn out Grade A, which is obviously something expected from
>> security solution like FreeIPA? Is it just about ECC support
>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some change to our
>> default certificate profiles?
>
> The cert has another issue. It relies on Subject CN for host name
> verification. This feature has been deprecated by RFC 2818 more than a
> decade ago. Instead of Subject CN modern certs should use dNSName in
> SubjectAltName x509v3 extension.
>
> https://fedorahosted.org/pki/ticket/1464
> https://github.com/shazow/urllib3/issues/497
Right. Fraser should have it in his queue already:
https://fedorahosted.org/freeipa/ticket/4970
Martin
More information about the Freeipa-devel
mailing list