[Freeipa-users] Fedora 19 upgrading mod_nss
Simo Sorce
simo at redhat.com
Sat Nov 23 03:28:33 UTC 2013
On Fri, 2013-11-22 at 17:24 -0600, Anthony Messina wrote:
> After pulling down a mod_nss upgrade, the nss.conf.rpmnew file has some
> additional content. The diff is below. Should I merge in the new
> NSSCipherSuite/NSSProtocol changes on an IPA system or leave it as is?
It is probably a good idea to merge them in although IPA is not yet able
to create EC based certs. The protocol is certainly worth it.
Simo.
> [root at ipa1 ~]# diff -u /etc/httpd/conf.d/nss.conf
> /etc/httpd/conf.d/nss.conf.rpmnew
> --- /etc/httpd/conf.d/nss.conf 2013-10-06 11:58:57.297000000 -0500
> +++ /etc/httpd/conf.d/nss.conf.rpmnew 2013-10-24 16:22:49.000000000 -0500
> @@ -14,9 +14,9 @@
> # standard HTTP port (see above) and to the HTTPS port
> #
> # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
> -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
> +# Listen directives: "Listen [::]:8443" and "Listen 0.0.0.0:443"
> #
> -Listen 443
> +Listen 8443
>
> ##
> ## SSL Global Context
> @@ -35,7 +35,7 @@
> # Configure the pass phrase gathering process.
> # The filtering dialog program (`builtin' is a internal
> # terminal dialog) has to provide the pass phrase on stdout.
> -NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
> +NSSPassPhraseDialog builtin
>
>
> # Pass Phrase Helper:
> @@ -73,21 +73,21 @@
> #
> # Only renegotiate if the peer's hello bears the TLS renegotiation_info
> # extension. Default off.
> -NSSRenegotiation on
> +NSSRenegotiation off
>
> # Peer must send Signaling Cipher Suite Value (SCSV) or
> # Renegotiation Info (RI) extension in ALL handshakes. Default: off
> -NSSRequireSafeNegotiation on
> +NSSRequireSafeNegotiation off
>
> ##
> ## SSL Virtual Host Context
> ##
>
> -<VirtualHost _default_:443>
> +<VirtualHost _default_:8443>
>
> # General setup for the virtual host
> #DocumentRoot "/etc/httpd/htdocs"
> -#ServerName www.example.com:443
> +#ServerName www.example.com:8443
> #ServerAdmin you at example.com
>
> # mod_nss can log to separate log files, you can choose to do that if you'd
> like
> @@ -113,7 +113,16 @@
> # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography
> #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-
> rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,
> +fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-
> rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-
> ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,
> +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,
> +ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,
> +ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,
> +ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-
> echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,
> +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
>
> -NSSProtocol SSLv3,TLSv1
> +# SSL Protocol:
> +# Cryptographic protocols that provide communication security.
> +# NSS handles the specified protocols as "ranges", and automatically
> +# negotiates the use of the strongest protocol for a connection starting
> +# with the maximum specified protocol and downgrading as necessary to the
> +# minimum specified protocol that can be used between two processes.
> +# Since all protocol ranges are completely inclusive, and no protocol in
> the
> +# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
> +# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
> +NSSProtocol SSLv3,TLSv1.0,TLSv1.1
>
> # SSL Certificate Nickname:
> # The nickname of the RSA server certificate you are going to use.
> @@ -214,6 +223,5 @@
> #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
> # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> -Include conf.d/ipa-rewrite.conf
> </VirtualHost>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list