<div dir="ltr">Managed to get PKI/Tomcat patched for TLS 1.2.<div><br></div><div><b>/etc/pki/pki-tomcat/server.xml</b></div><div><b>...</b></div><div><b> sslVersionRangeStream="tls1_2:tls1_2" </b></div><div><b>sslVersionRangeDatagram="tls1_2:tls1_2" <br></b></div><div><b>...<br></b><br>Thanks, resolved.<br><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 27, 2017 at 10:01 PM Callum Guy <<a href="mailto:callum.guy@x-on.co.uk">callum.guy@x-on.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0<div><br></div><div>Directory server change suggested on the link are for an older version. Minimum TLS support can be altered as follows:</div><div><font color="#444444"><br></font></div><div><font color="#444444"><b>/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif</b><br></font></div><div><span id="m_-4023534344703992505inbox-inbox-docs-internal-guid-9942cd00-b130-22a9-c0be-9b83b20058d2"><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">dn: cn=encryption,cn=config</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">allowWeakCipher: off</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">cn: encryption</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">createTimestamp: 20161130110528Z</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">creatorsName: cn=server,cn=plugins,cn=config</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">modifiersName: cn=Directory Manager</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">modifyTimestamp: 20161213085006Z</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">nsSSLClientAuth: allowed</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">nsSSLSessionTimeout: 0</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">nsSSL3Ciphers: default</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">objectClass: top</span></p><p dir="ltr" style="color:rgb(68,68,68);line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">objectClass: nsEncryptionConfig</span></p><span style="color:rgb(68,68,68);font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">sslVersionMin: </span><span style="font-size:9pt;font-family:consolas;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#ff0000">TLS1.2</font></span></span><font color="#ff0000"> </font><br></div><div><br></div><div>I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in /usr/share/pki/server/conf/server.xml seems to roughly match the linked article however its all tokenized as shown below:</div><div><br></div><div><div>203 sslOptions="[TOMCAT_SSL_OPTIONS]"</div><div>204 ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"</div><div>205 ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"</div><div>206 tlsCiphers="[TOMCAT_TLS_CIPHERS]"</div><div>207 sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"</div><div>208 sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"</div><div>209 sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"</div></div><div><br></div><div>I'll feed back if i work it out.</div><div><br></div><div>Thanks,<font color="#ff0000"><br></font></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 27, 2017 at 8:22 PM Callum Guy <<a href="mailto:callum.guy@x-on.co.uk" target="_blank">callum.guy@x-on.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if i run into any issues - i find it difficult to locate these help pages so really do appreciate the advice</div><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 27, 2017 at 8:16 PM Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Callum Guy wrote:<br> > Hi All,<br> ><br> > I'm currently looking at hardening my FreeIPA server as part of a PCI<br> > assessment.<br> ><br> > I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use<br> > only TLS1.2 - both currently support TLS1.0 and unfortunately that is<br> > non-compliant for my environment.<br> ><br> > Also i'm very much hoping not to break my installation!<br> ><br> > Does anyone have experience in this area?<br> <br> It depends very much on what version you are running but see<br> <a href="https://access.redhat.com/articles/2801181" rel="noreferrer" target="_blank">https://access.redhat.com/articles/2801181</a> for inspiration.<br> <br> rob<br> <br> </blockquote></div></blockquote></div></blockquote></div></div></div> <br> <p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;text-align:justify"><font size="3" face="Verdana"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></font></p><img src="http://www.x-on.co.uk/email/footer/banner-surgeryconnect-may.jpg"><br><p><font size="4"><span style="font-size:8px;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><b><sup><font face="Verdana">0333 332 0000 | <a href="http://www.x-on.co.uk" target="_blank">www.x-on.co.uk</a> | <sub> </sub></font></sup></b></font><font size="4"><b><sub><sup><font face="Verdana"><a href="https://www.linkedin.com/company/x-on" target="_blank"><img src="http://www.x-on.co.uk//images/icon/linkedin.png" width="24" height="24"></a> <a href="https://www.facebook.com/XonTel" target="_blank"><img src="http://www.x-on.co.uk//images/icon/facebook.png" width="24" height="24"></a> <a href="https://twitter.com/xonuk" target="_blank"><img src="http://www.x-on.co.uk//images/icon/twitter.png" width="24" height="24"></a></font></sup></sub> </b></font> <span style="font-size:6.0pt;font-family:Verdana;color:black"><br>X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales.<br> Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.<br> The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on <span>+44(0)333 332 0000</span> and delete the<br>message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. </span><span style="font-size:6.0pt;font-family:Verdana;color:black">Views or opinions expressed by an individual<br>within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments<br>for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments.</span></p> <p><span style="font-size:6.0pt;font-family:Verdana;color:black"></span><font size="2"><span style="font-size:6.0pt;font-family:Verdana;color:black"></span></font></p>