<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 09/23/2015 05:05 PM, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98UDOEf-x5Ru-srfcn0RW6_7M9t3SaOqVZQE3+KtTz7KsA@mail.gmail.com"
type="cite">
<div dir="ltr">Yes, I am talking about 389ds as is integrated in
FreeIPA (would be silly to post completely non-IPA questions to
this list...).
<div>I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled
on port 636 no matter what I do.
<div><br>
</div>
<div>I am running "CentOS Linux release 7.1.1503 (Core)" </div>
<div><br>
</div>
<div>Relevant Packages:</div>
<div>
<div><br>
</div>
<div>freeipa-server-4.1.4-1.el7.centos.x86_64</div>
<div>389-ds-base-1.3.3.8-1.el7.centos.x86_64</div>
<div>nss-3.19.1-5.el7_1.x86_64</div>
<div>openssl-1.0.1e-42.el7.9.x86_64</div>
<div><br>
</div>
</div>
<div>LDAP setting (confirmed that in error.log there is no
menition of RC4 in list of ciphers):</div>
<div>
<p class="">nsSSL3Ciphers:
-rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha<br>
</p>
</div>
</div>
</div>
</blockquote>
with ipa the config entry should contain:<br>
<br>
dn: cn=encryption,cn=config<br>
allowWeakCipher: off<br>
nsSSL3Ciphers: +all<br>
<br>
could you try this setting<br>
<blockquote
cite="mid:CAAFs98UDOEf-x5Ru-srfcn0RW6_7M9t3SaOqVZQE3+KtTz7KsA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<p class=""><span class="">Slapd "error" log showing no
ciphersuites supporting RC4:</span></p>
<p class="">[23/Sep/2015:08:51:04 -0600] SSL Initialization
- Configured SSL version range: min: TLS1.0, max: TLS1.2<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
fortezza is not available in NSS 3.16. Ignoring fortezza<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
fortezza_rc4_128_sha is not available in NSS 3.16.
Ignoring fortezza_rc4_128_sha<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
fortezza_null is not available in NSS 3.16. Ignoring
fortezza_null<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS
Ciphers<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br>
[23/Sep/2015:08:51:04 -0600] - 389-Directory/<a
moz-do-not-send="true" href="http://1.3.3.8">1.3.3.8</a>
B2015.040.128 starting up</p>
<div><br>
</div>
<p class=""><span class="">But sslscan returns:</span></p>
<p class=""><span class="">$ </span>sslscan --no-failed
localhost:636<br>
...</p>
<p class=""><span class="">Supported Server Cipher(s):</span></p>
<p class=""><span class=""> Accepted TLSv1 256 bits
AES256-SHA<br>
</span> Accepted TLSv1 128 bits AES128-SHA<br>
Accepted TLSv1 128 bits DES-CBC3-SHA<br>
Accepted TLSv1 128 bits RC4-SHA<br>
Accepted TLSv1 128 bits RC4-MD5<br>
Accepted TLS11 256 bits AES256-SHA<br>
Accepted TLS11 128 bits AES128-SHA<br>
Accepted TLS11 128 bits DES-CBC3-SHA<br>
Accepted TLS11 128 bits RC4-SHA<br>
Accepted TLS11 128 bits RC4-MD5<br>
Accepted TLS12 256 bits AES256-SHA256<br>
Accepted TLS12 256 bits AES256-SHA<br>
Accepted TLS12 128 bits AES128-GCM-SHA256<br>
Accepted TLS12 128 bits AES128-SHA256<br>
Accepted TLS12 128 bits AES128-SHA<br>
Accepted TLS12 128 bits DES-CBC3-SHA<br>
Accepted TLS12 128 bits RC4-SHA<br>
Accepted TLS12 128 bits RC4-MD5</p>
<p class="">...</p>
<p class=""><br>
</p>
<p class="">I would assume the sslscan is broken, but nmap
and other scanners all confirm that RC4 is still on.</p>
<p class="">-M</p>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at 3:35 AM, Martin
Kosek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On 09/23/2015 11:00 AM, Michael Lasevich
wrote:<br>
> OK, this is most bizarre issue,<br>
><br>
> I am trying to disable RC4 based TLS Cipher Suites
in LDAPs(port 636) and<br>
> for the life of me cannot get it to work<br>
><br>
> I have followed many nearly identical instructions
to create ldif file and<br>
> change "nsSSL3Ciphers" in
"cn=encryption,cn=config". Seems simple enough -<br>
> and I get it to take, and during the startup I can
see the right SSL Cipher<br>
> Suites listed in errors.log - but when it starts
and I probe it, RC4<br>
> ciphers are still there. I am completely confused.<br>
><br>
> I tried setting "nsSSL3Ciphers" to "default" (which
does not have "RC4")<br>
> and to old style cyphers lists(lowercase), and new
style cypher<br>
> lists(uppercase), and nothing seems to make any
difference.<br>
><br>
> Any ideas?<br>
><br>
> -M<br>
<br>
</div>
</div>
Are you asking about standalone 389-DS or the one integrated
in FreeIPA? As<br>
with currently supported versions of FreeIPA, RC4 ciphers
should be already<br>
gone, AFAIK.<br>
<br>
In RHEL/CentOS world, it should be fixed in 6.7/7.1 or
later:<br>
<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1154687"
rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1154687</a><br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/4653"
rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/4653</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>