[Freeipa-users] weak and null ciphers detected on ldap ports
Murty, Ajeet (US - Arlington)
amurty at deloitte.com
Tue Oct 7 16:10:38 UTC 2014
I was shutting down IPA before making any changes -
1. Shutdown IPA -
[root]# /etc/init.d/ipa stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
2. Edit 'dse.ldif' files to remove null ciphers -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
_sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
3. Start IPA -
[root]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [ OK ]
Starting CA Service
Starting pki-ca: [ OK ]
4. Run Scan.
Null Ciphers detected again by Nessus -
Here is the list of null SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Port
389 / tcp / ldap
636 / tcp / ldap
Ajeet Murty
Deloitte & Touche LLP
Tel: +1 571 882 5614 | Mobile: +1 704 421 8756
amurty at deloitte.com | www.deloitte.com
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Tuesday, October 07, 2014 10:19 AM
To: Murty, Ajeet (US - Arlington); Alexander Bokovoy
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
Murty, Ajeet (US - Arlington) wrote:
> Sorry, messed up copy paste, here is the edited section -
>
> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> numSubordinates: 1
>
> I double checked this time. No Null ciphers in dse.ldif files.
> Still seeing the Null Cipher in scans.
>
Are you shutting down the server(s) before modifying dse.ldif or are you
doing the changes online using ldapmodify?
389-ds writes dse.ldif during shutdown so if you make changes while the
server is up and then restart it those changes will be lost.
rob
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Tuesday, October 07, 2014 6:13 AM
> To: Murty, Ajeet (US - Arlington)
> Cc: Martin Kosek; Nathan Kinder; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>> I edited both ldif files to remove fortezza_null. Looks like this now -
>>
>> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
> Here I can still see +fortezza_null.
>
>> a_export1024_with_des_cbc_sha
>>
>> Ran the scan again, still seeing Null Cipher -
>>
>> TLSv1
>> NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
>>
>>
>>
>>
>>
>>
>>
>> This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.
>>
>> v.E.1
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Tuesday, October 07, 2014 5:46 AM
>> To: Murty, Ajeet (US - Arlington)
>> Cc: Martin Kosek; Nathan Kinder; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>> Hi Martin and Nathan,
>>>
>>> Thank you for providing that info.
>>> Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
>>> The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '.
>>>
>>> Nessus scan had detected this null cipher -
>>> TLSv1
>>> NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
>>>
>>> I found 2 'dse.ldif' files on disk -
>>> /etc/dirsrv/slapd-PKI-IPA/dse.ldif
>>> /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
>>>
>>> In each of them, I found this -
>>> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>>
>>> So to disable null cipher, I removed 'rsa_null_md5' from that list -
>>> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>> I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher.
>>>
>>> Any ideas on how to resolve this?
>> I can see also fortezza_null in the above list, maybe you are getting
>> into that one?
>>
>>>
>>> -----Original Message-----
>>> From: Martin Kosek [mailto:mkosek at redhat.com]
>>> Sent: Tuesday, September 23, 2014 11:15 AM
>>> To: Nathan Kinder; freeipa-users at redhat.com; Murty, Ajeet (US - Arlington)
>>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>>
>>> On 09/22/2014 10:07 PM, Nathan Kinder wrote:
>>>>
>>>>
>>>> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
>>>>> Security scan of FreeIPA server ports uncovered weak, medium and null
>>>>> ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.
>>>>>
>>>>> How can I disable/remove these ciphers in my existing setup?
>>>>
>>>> This has recently been worked on in this 389-ds-base ticket:
>>>>
>>>> https://fedorahosted.org/389/ticket/47838
>>>>
>>>> As mentioned in the initial description of that ticket, you can
>>>> configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
>>>> You can edit this over LDAP, or by stopping 389-ds-base and editing
>>>> /etc/dirsrv/slapd-<REALM>/dse.ldif.
>>>>
>>>> Thanks,
>>>> -NGK
>>>
>>> You can also check the FreeIPA counterpart:
>>>
>>> https://fedorahosted.org/freeipa/ticket/4395
>>>
>>> This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
>>> we would very much welcome if you can verify that this setup works for you!
>>>
>>> Thanks,
>>> Martin
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>
>> --
>> / Alexander Bokovoy
>
More information about the Freeipa-users
mailing list