[Freeipa-users] weak and null ciphers detected on ldap ports
Murty, Ajeet (US - Arlington)
amurty at deloitte.com
Tue Oct 7 09:35:50 UTC 2014
Hi Martin and Nathan,
Thank you for providing that info.
Unfortunately, my IPA server is running on CentOS, and the latest IPA version available through YUM is - 'ipa-server.i686 3.0.0-37.el6'.
The latest version of 389-DS through YUM is - '389-ds-base.i686 1.2.11.15-34.el6_5 '.
Nessus scan had detected this null cipher -
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
I found 2 'dse.ldif' files on disk -
/etc/dirsrv/slapd-PKI-IPA/dse.ldif
/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
In each of them, I found this -
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
So to disable null cipher, I removed 'rsa_null_md5' from that list -
nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
I restarted the entire IPA stack, and ran the scan again, I am still seeing that Null Cipher.
Any ideas on how to resolve this?
Thanks.
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.
v.E.1
-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com]
Sent: Tuesday, September 23, 2014 11:15 AM
To: Nathan Kinder; freeipa-users at redhat.com; Murty, Ajeet (US - Arlington)
Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
On 09/22/2014 10:07 PM, Nathan Kinder wrote:
>
>
> On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
>> Security scan of FreeIPA server ports uncovered weak, medium and null
>> ciphers on port 389 and 636. We are running 'ipa-server-3.0.0-37.el6.i686'.
>>
>> How can I disable/remove these ciphers in my existing setup?
>
> This has recently been worked on in this 389-ds-base ticket:
>
> https://fedorahosted.org/389/ticket/47838
>
> As mentioned in the initial description of that ticket, you can
> configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
> You can edit this over LDAP, or by stopping 389-ds-base and editing
> /etc/dirsrv/slapd-<REALM>/dse.ldif.
>
> Thanks,
> -NGK
You can also check the FreeIPA counterpart:
https://fedorahosted.org/freeipa/ticket/4395
This issue is fixed in FreeIPA 4.0.3 (available in Copr build and Fedora 21+),
we would very much welcome if you can verify that this setup works for you!
Thanks,
Martin
More information about the Freeipa-users
mailing list