[Freeipa-users] Fedora 19 upgrading mod_nss
Anthony Messina
amessina at messinet.com
Fri Nov 22 23:24:39 UTC 2013
After pulling down a mod_nss upgrade, the nss.conf.rpmnew file has some
additional content. The diff is below. Should I merge in the new
NSSCipherSuite/NSSProtocol changes on an IPA system or leave it as is?
[root at ipa1 ~]# diff -u /etc/httpd/conf.d/nss.conf
/etc/httpd/conf.d/nss.conf.rpmnew
--- /etc/httpd/conf.d/nss.conf 2013-10-06 11:58:57.297000000 -0500
+++ /etc/httpd/conf.d/nss.conf.rpmnew 2013-10-24 16:22:49.000000000 -0500
@@ -14,9 +14,9 @@
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
+# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
#
-Listen 443
+Listen 8443
##
## SSL Global Context
@@ -35,7 +35,7 @@
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
-NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
+NSSPassPhraseDialog builtin
# Pass Phrase Helper:
@@ -73,21 +73,21 @@
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
-NSSRenegotiation on
+NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
-NSSRequireSafeNegotiation on
+NSSRequireSafeNegotiation off
##
## SSL Virtual Host Context
##
-<VirtualHost _default_:443>
+<VirtualHost _default_:8443>
# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
-#ServerName www.example.com:443
+#ServerName www.example.com:8443
#ServerAdmin you at example.com
# mod_nss can log to separate log files, you can choose to do that if you'd
like
@@ -113,7 +113,16 @@
# ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
#NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-
rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,
+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-
rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-
ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,
+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,
+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,
+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,
+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-
echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
-NSSProtocol SSLv3,TLSv1
+# SSL Protocol:
+# Cryptographic protocols that provide communication security.
+# NSS handles the specified protocols as "ranges", and automatically
+# negotiates the use of the strongest protocol for a connection starting
+# with the maximum specified protocol and downgrading as necessary to the
+# minimum specified protocol that can be used between two processes.
+# Since all protocol ranges are completely inclusive, and no protocol in
the
+# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
+# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
+NSSProtocol SSLv3,TLSv1.0,TLSv1.1
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
@@ -214,6 +223,5 @@
#CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-Include conf.d/ipa-rewrite.conf
</VirtualHost>
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131122/fdb2f83c/attachment.sig>
More information about the Freeipa-users
mailing list