<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Thank you for including me in the loop,
Ludwig.<br>
<br>
On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:<br>
> If I remember correctly we did the change in default ciphers
and the option for handling in 389-ds > 1.3.3, so it would not
be in RHEL6, adding Noriko to get confirmation.
<br>
<br>
Ludwig is right. The way how to set nsSSL3Ciphers has been
changed since 1.3.3 which is available on RHEL-7.<br>
<br>
This is one of the newly supported values of nsSSL3Ciphers:<br>
<blockquote>Notes: if the value contains +all, then <strong>-<cipher></strong>
is removed from the list.<br>
<a class="moz-txt-link-freetext" href="http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1">http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1</a><br>
</blockquote>
On the older 389-ds-base including 389-ds-base-1.2.11.X on
RHEL-6.X, if "+all" is found in the value, all the available
ciphers are enabled.<br>
<br>
To workaround it, could you try explicitely setting ciphers as
follows?<br>
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,<br>
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,<br>
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha<br>
<br>
Thanks,<br>
--noriko<br>
<br>
On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:<br>
</div>
<blockquote cite="mid:5721F536.1000807@redhat.com" type="cite">wanted
to add Noriko, but hit send to quickly
<br>
<br>
On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
<br>
<blockquote type="cite">
<br>
On 04/28/2016 12:06 PM, Martin Kosek wrote:
<br>
<blockquote type="cite">On 04/28/2016 01:23 AM, Sean Hogan
wrote:
<br>
<blockquote type="cite">Hi Martin,
<br>
<br>
No joy on placing - in front of the RC4s
<br>
<br>
<br>
I modified my nss.conf to now read
<br>
# SSL 3 ciphers. SSL 2 is disabled by default.
<br>
NSSCipherSuite
<br>
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
<br>
<br>
# SSL Protocol:
<br>
# Cryptographic protocols that provide communication
security.
<br>
# NSS handles the specified protocols as "ranges", and
automatically
<br>
# negotiates the use of the strongest protocol for a
connection starting
<br>
# with the maximum specified protocol and downgrading as
necessary to the
<br>
# minimum specified protocol that can be used between two
processes.
<br>
# Since all protocol ranges are completely inclusive, and no
protocol in the
<br>
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
<br>
<br>
dse.ldif
<br>
<br>
dn: cn=encryption,cn=config
<br>
objectClass: top
<br>
objectClass: nsEncryptionConfig
<br>
cn: encryption
<br>
nsSSLSessionTimeout: 0
<br>
nsSSLClientAuth: allowed
<br>
nsSSL2: off
<br>
nsSSL3: off
<br>
creatorsName: cn=server,cn=plugins,cn=config
<br>
modifiersName: cn=directory manager
<br>
createTimestamp: 20150420131850Z
<br>
modifyTimestamp: 20150420131906Z
<br>
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
<br>
_56_sha,-tls_dhe_dss_1024_rc4_sha
<br>
numSubordinates: 1
<br>
<br>
<br>
<br>
But I still get this with nmap.. I thought the above would
remove
<br>
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it
the fact that I am not
<br>
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not
really understanding
<br>
where it is coming from cept the +all from DS but the -
should be negating that?
<br>
<br>
Starting Nmap 5.51 ( <a class="moz-txt-link-freetext" href="http://nmap.org">http://nmap.org</a>
<a class="moz-txt-link-rfc2396E" href="http://nmap.org/"><http://nmap.org/></a> ) at 2016-04-27 17:37 EDT
<br>
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
<br>
Host is up (0.000086s latency).
<br>
PORT STATE SERVICE
<br>
636/tcp open ldapssl
<br>
| ssl-enum-ciphers:
<br>
| TLSv1.2
<br>
| Ciphers (13)
<br>
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
<br>
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
<br>
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
<br>
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
<br>
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
<br>
| TLS_RSA_WITH_AES_128_CBC_SHA
<br>
| TLS_RSA_WITH_AES_128_CBC_SHA256
<br>
| TLS_RSA_WITH_AES_128_GCM_SHA256
<br>
| TLS_RSA_WITH_AES_256_CBC_SHA
<br>
| TLS_RSA_WITH_AES_256_CBC_SHA256
<br>
| TLS_RSA_WITH_DES_CBC_SHA
<br>
| TLS_RSA_WITH_RC4_128_MD5
<br>
| TLS_RSA_WITH_RC4_128_SHA
<br>
| Compressors (1)
<br>
|_ uncompressed
<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
<br>
<br>
<br>
<br>
It seems no matter what config I put into nss.conf or
dse.ldif nothing changes
<br>
with my nmap results. Is there supposed to be a be a section
to add TLS ciphers
<br>
instead of SSL
<br>
</blockquote>
Not sure now, CCing Ludwig who was involved in the original
RHEL-6
<br>
implementation.
<br>
</blockquote>
If I remember correctly we did the change in default ciphers and
the option for handling in 389-ds > 1.3.3, so it would not be
in RHEL6, adding Noriko to get confirmation.
<br>
<br>
but the below comments about changing ciphers in dse.ldif could
help in using the "old" way to set ciphers
<br>
<blockquote type="cite">Just to be sure, when you are modifying
dse.ldif, the procedure
<br>
should be always following:
<br>
<br>
1) Stop Directory Server service
<br>
2) Modify dse.ldif
<br>
3) Start Directory Server service
<br>
<br>
Otherwise it won't get applied and will get overwritten later.
<br>
<br>
In any case, the ciphers with RHEL-6 should be secure enough,
the ones in
<br>
FreeIPA 4.3.1 should be even better. This is for example an
nmap taken on
<br>
FreeIPA Demo instance that runs on FreeIPA 4.3.1:
<br>
<br>
$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org
<br>
<br>
Starting Nmap 7.12 ( <a class="moz-txt-link-freetext" href="https://nmap.org">https://nmap.org</a> ) at 2016-04-28 12:02
CEST
<br>
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
<br>
Host is up (0.18s latency).
<br>
PORT STATE SERVICE
<br>
636/tcp open ldapssl
<br>
| ssl-enum-ciphers:
<br>
| TLSv1.2:
<br>
| ciphers:
<br>
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
<br>
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
<br>
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
<br>
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
<br>
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
<br>
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
<br>
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
<br>
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
<br>
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
<br>
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
<br>
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
<br>
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
<br>
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
<br>
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
<br>
| compressors:
<br>
| NULL
<br>
| cipher preference: server
<br>
|_ least strength: A
<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds
<br>
<br>
Martin
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>