[Freeipa-devel] FreeIPA and modern requirements on certificates

Martin Kosek mkosek at redhat.com
Fri Jan 8 15:27:45 UTC 2016 

On 01/08/2016 03:02 PM, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Fri, 08 Jan 2016, Martin Kosek wrote:
>>> On 01/08/2016 02:17 PM, Fraser Tweedale wrote:
>>>> On Fri, Jan 08, 2016 at 02:02:07PM +0100, Martin Kosek wrote:
>>>>> On 01/08/2016 01:56 PM, Fraser Tweedale wrote:
>>>>>> On Fri, Jan 08, 2016 at 01:26:57PM +0100, Martin Kosek wrote:
>>>>>>> Hi Fraser and other X.509 SMEs,
>>>>>>>
>>>>>>> I wanted to check with you on what we have or plan to have with
>>>>>>> respect to
>>>>>>> certificate/cipher strength in FreeIPA.
>>>>>>>
>>>>>>> When I visit the FreeIPA public demo for example, I usually see
>>>>>>> following
>>>>>>> errors with recent browsers:
>>>>>>>
>>>>>>> * Your connection to ipa.demo1.freeipa.org is encrypted using
>>>>>>> obsolete cypher
>>>>>>> suite.
>>>>>>>  - The connection uses TLS 1.2
>>>>>>>  - The connection is encrypted ising AES_128_CBC, with HMAC-SHA1
>>>>>>> for message
>>>>>>> authentication and RSA as the key exchange mechanism
>>>>>>>
>>>>>> This is a cipher suite / ordering issue, not related to certificate.
>>>>>>
>>>>>>> I usually do not see the common
>>>>>>> * Certificate chain contains a certificate signed with SHA-1
>>>>>>> error, but I am not sure if we are covered for this one.
>>>>>>>
>>>>>> We are using sha256 for IPA CA and default profiles.  Customers
>>>>>> could still modify the profile or add profiles to sign using an
>>>>>> obsolete hash, if they wanted to, but our default is good.
>>>>>>
>>>>>>>
>>>>>>> When I tested the FreeIPA demo with
>>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org
>>>>>>> (and ignore the trust issues), we get the mark B with following
>>>>>>> warnings:
>>>>>>>
>>>>>>> * This server accepts RC4 cipher, but only with older protocol
>>>>>>> versions. Grade
>>>>>>> capped to B.
>>>>>>>
>>>>>>> * The server does not support Forward Secrecy with the reference
>>>>>>> browsers.
>>>>>>>
>>>>>> Again a cipher suite tweak will address this.
>>>>>>
>>>>>>>
>>>>>>> What do we miss to turn out Grade A, which is obviously something
>>>>>>> expected from
>>>>>>> security solution like FreeIPA? Is it just about ECC support
>>>>>>> (https://fedorahosted.org/freeipa/ticket/3951) or also maybe some
>>>>>>> change to our
>>>>>>> default certificate profiles?
>>>>>>>
>>>>>> Based on what you've written, it is just the cipher suite that needs
>>>>>> changing, and maybe a setting about favouring server cipher order
>>>>>> over client order.  ECC certificate support is not needed (yet) and
>>>>>> the default profile is fine, w.r.t. hash used for signing.
>>>>>>
>>>>>> One important modern certificate requirement is to always include a
>>>>>> SAN dnsName for the subject, as required by RFC 2818; this is ticket
>>>>>> #4970 and it is on my radar.
>>>>>>
>>>>>> Cheers,
>>>>>> Fraser
>>>>>
>>>>> Should I then file a ticket to fix the cipher suite? (I did not fully
>>>>> understand the specifics though).
>>>>>
>>>> Yes.  I have not checked yet, but we are possibly using
>>>> stock-standard mod_nss configuration (as shipped by the RPM).  If
>>>> so, we should file a ticket against mod_nss to improve their
>>>> defaults.
>>>
>>> Right. In nss.conf, I see this default cipher suite:
>>>
>>> NSSCipherSuite
>>> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-
>>>
>>>
>>> rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>>>
>>>
>>> It certainly makes me little nervous. In 389-ds-base case, we had a
>>> similar
>>> list and solved it my using the list directly from NSS:
>>>
>>> https://fedorahosted.org/389/ticket/47838
>>> https://fedorahosted.org/freeipa/ticket/4395
>>>
>>> CCing Rob here.
>> Here is what I have in my setup that goes to A- according to ssllabs:
>> NSSCipherSuite
>> -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>>
>>
>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>
>> This gets A- due to lack of forward secrecy support.
>>
> 
> An IPA ticket for this exists, https://fedorahosted.org/freeipa/ticket/4431

This is a refactoring type of a ticket, it may not be done fast enough. I
created a smaller task in new ticket:

https://fedorahosted.org/freeipa/ticket/5589

> For mod_nss I was going to do this as part of
> https://fedorahosted.org/mod_nss/ticket/5
> 
> If you add in some EC ciphers you'd probably get PFS too. DH ciphers
> aren't supported yet.
> 
> rob
>

More information about the Freeipa-devel mailing list