[Freeipa-users] weak and null ciphers detected on ldap ports

Alexander Bokovoy abokovoy at redhat.com
Tue Oct 7 09:46:14 UTC 2014 

On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>Hi Martin and Nathan,
>
>Thank you for providing that info.
>Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
>The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '.
>
>Nessus scan had detected this null cipher -
>    TLSv1
>      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None                 Mac=SHA1
>
>I found 2 'dse.ldif' files on disk -
>        /etc/dirsrv/slapd-PKI-IPA/dse.ldif
>        /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
>
>In each of them, I found this -
>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
> a_export1024_with_des_cbc_sha
>
>
>So to disable null cipher, I removed 'rsa_null_md5' from that list -
>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
> a_export1024_with_des_cbc_sha
>
>I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher.
>
>Any ideas on how to resolve this?
I can see also fortezza_null in the above list, maybe you are getting
into that one?

>
>-----Original Message-----
>From: Martin Kosek [mailto:mkosek at redhat.com]
>Sent: Tuesday, September 23, 2014 11:15 AM
>To: Nathan Kinder; freeipa-users at redhat.com; Murty, Ajeet (US - Arlington)
>Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
>On 09/22/2014 10:07 PM, Nathan Kinder wrote:
>>
>>
>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
>>> Security scan of FreeIPA server ports uncovered weak, medium and null
>>> ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.
>>>
>>> How can I disable/remove these ciphers in my existing setup?
>>
>> This has recently been worked on in this 389-ds-base ticket:
>>
>>   https://fedorahosted.org/389/ticket/47838
>>
>> As mentioned in the initial description of that ticket, you can
>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
>> You can edit this over LDAP, or by stopping 389-ds-base and editing
>> /etc/dirsrv/slapd-<REALM>/dse.ldif.
>>
>> Thanks,
>> -NGK
>
>You can also check the FreeIPA counterpart:
>
>https://fedorahosted.org/freeipa/ticket/4395
>
>This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
>we would very much welcome if you can verify that this setup works for you!
>
>Thanks,
>Martin
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list