<div dir="ltr">Thanks. After the changes, most things seem to be in order. I see two orange flags though:<div><br><div><table class="" style="border-collapse:collapse;width:670px;margin:0px 10px 0px 0px;padding:0px;font-size:12px;line-height:20px;font-family:Arial,Helvetica,sans-serif;background-color:rgb(253,253,253)"><tbody><tr class=""><td class="" style="padding:3px 10px 3px 0px;color:rgb(68,68,68);border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(240,240,240);vertical-align:middle;font-weight:bold;width:230px"><font color="#F88017">Secure Client-Initiated Renegotiation</font></td><td class="" style="padding:3px 0px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(240,240,240);vertical-align:middle;word-wrap:break-word"><font color="#F88017"><b>Supported</b> <b>DoS DANGER</b> (<a href="https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks" style="color:rgb(248,128,23)">more info</a>)</font></td></tr></tbody></table><table class="" style="border-collapse:collapse;width:670px;margin:0px 10px 0px 0px;padding:0px;font-size:12px;line-height:20px;font-family:Arial,Helvetica,sans-serif;background-color:rgb(253,253,253)"><tbody><tr class=""><td class="" style="padding:3px 10px 3px 0px;color:rgb(68,68,68);border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(240,240,240);vertical-align:middle;font-weight:bold;width:230px"><font color="#F88017">Session resumption (caching)</font></td><td class="" style="padding:3px 0px;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(240,240,240);vertical-align:middle;word-wrap:break-word"><font color="#F88017"><b>No (IDs assigned but not accepted)</b></font></td></tr></tbody></table><br></div><div>Are these relevant/serious ? Can they be mitigated ?</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 5, 2015 at 6:51 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Prasun Gera wrote:<br>
> Yes, that's what I was planning to do. i.e. Convert cipher names from<br>
> SSL to NSS. I wasn't sure about the other settings though. Is there an<br>
> equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there<br>
> equivalent configs for HSTS on the mozilla page? Does NSS allow using<br>
> generated DH parameters instead of standard ones ? For SSL, the<br>
> suggested modification to the config is 'SSLOpenSSLConfCmd DHParameters<br>
> "{path to dhparams.pem}"' after generating the params.<br>
<br>
</span>NSS does not let the user specify cipher order. It uses its own internal<br>
sorting from strongest to weakest.<br>
<br>
HSTS is a header and not dependent upon SSL provider.<br>
<br>
mod_nss doesn't support DH ciphers.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span><span class="im HOEnZb"><br>
><br>
> On Wed, Nov 4, 2015 at 8:21 PM, Fraser Tweedale <<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a><br>
</span><span class="im HOEnZb">> <mailto:<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a>>> wrote:<br>
><br>
> On Wed, Nov 04, 2015 at 05:03:29PM -0800, Prasun Gera wrote:<br>
> > Thanks for the ticket information. I would still be interested in<br>
> > configuring mod_nss properly (irrespective of whether the certs are ipa<br>
> > generated or 3rd party). These are the worrying notes from ssllabs test:<br>
> ><br>
> > The server supports only older protocols, but not the current best TLS 1.2.<br>
> > Grade capped to C.<br>
> > This server accepts the RC4 cipher, which is weak. Grade capped to B.<br>
> > The server does not support Forward Secrecy with the reference browsers.<br>
> ><br>
> Use the "Modern" cipher suite[1] recommended by Mozilla as a<br>
> starting point. See also the "Cipher names correspondence table" on<br>
> the same page for translating it to cipher names understood by NSS<br>
> to construct a valid setting for the `NSSCipherSuite' directive.<br>
><br>
> [1]<br>
> <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility" rel="noreferrer" target="_blank">https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility</a><br>
><br>
> Cheers,<br>
> Fraser<br>
><br>
> ><br>
> > On Wed, Nov 4, 2015 at 4:44 PM, Fraser Tweedale<br>
</span><div class="HOEnZb"><div class="h5">> <<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a> <mailto:<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a>>> wrote:<br>
> ><br>
> > > On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote:<br>
> > > > I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible<br>
> publicly.<br>
> > > I'm<br>
> > > > using a stock configuration which uses the certs signed by<br>
> ipa's CA for<br>
> > > the<br>
> > > > webui. This is mostly for convenience since it manages renewals<br>
> > > seamlessly.<br>
> > > > This, however, requires users to add the CA as trusted to their<br>
> > > browsers. A<br>
> > > > promising alternative to this is <a href="https://letsencrypt.org/" rel="noreferrer" target="_blank">https://letsencrypt.org/</a>,<br>
> which issues<br>
> > > > browser trusted certs, and will manage auto renewals too (in<br>
> the future).<br>
> > > > As a feature request, it would be nice to have closer<br>
> integration between<br>
> > > > ipa and the letsencrypt client which would make managing certs<br>
> simple.<br>
> > > I'm<br>
> > > > about to set this up manually right now using the external ssl<br>
> certs<br>
> > > guide.<br>
> > > ><br>
> > > Let's Encrypt is on our radar. I like the idea of being able to<br>
> > > install FreeIPA with publicly-trusted certs for HTTP and LDAP from<br>
> > > the beginning. This would require some work in ipa-server-install<br>
> > > in addition to certmonger support and a good, stable Let's Encrypt /<br>
> > > ACME client implementation for Apache on Fedora.<br>
> > ><br>
> > > Installing publicly-trusted HTTP / LDAP certs is a common activity<br>
> > > so I filed a ticket: <a href="https://fedorahosted.org/freeipa/ticket/5431" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/5431</a><br>
> > ><br>
> > > Cheers,<br>
> > > Fraser<br>
> > ><br>
> > > > Secondly, since the webui uses mod_nss, how would one set it<br>
> up to prefer<br>
> > > > security over compatibility with older clients ? The vast<br>
> majority of<br>
> > > > documentation online (for eg.<br>
> > > ><br>
> <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/" rel="noreferrer" target="_blank">https://mozilla.github.io/server-side-tls/ssl-config-generator/</a>) is<br>
> > > about<br>
> > > > mod_ssl and I think the configuration doesn't transfer directly to<br>
> > > mod_nss.<br>
> > > > Since this is the only web facing component, I would like to<br>
> set it up to<br>
> > > > use stringent requirements. Right now, a test on<br>
> > > > <a href="https://www.ssllabs.com/ssltest/" rel="noreferrer" target="_blank">https://www.ssllabs.com/ssltest/</a> and<br>
> <a href="https://weakdh.org/sysadmin.html" rel="noreferrer" target="_blank">https://weakdh.org/sysadmin.html</a><br>
> > > > identifies<br>
> > > > several issues. Since these things are not really my area of<br>
> expertise, I<br>
> > > > would like some documentation regarding this. Also, would manually<br>
> > > > modifying any of the config files be overwritten by a yum update ?<br>
> > ><br>
> > > > --<br>
> > > > Manage your subscription for the Freeipa-users mailing list:<br>
> > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
> > ><br>
> > ><br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>