[Freeipa-users] weak and null ciphers detected on ldap ports
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 7 16:43:10 UTC 2014
On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>I was shutting down IPA before making any changes -
>
>1. Shutdown IPA -
>
>[root]# /etc/init.d/ipa stop
>Stopping CA Service
>Stopping pki-ca: [ OK ]
>Stopping HTTP Service
>Stopping httpd: [ OK ]
>Stopping MEMCACHE Service
>Stopping ipa_memcached: [ OK ]
>Stopping KPASSWD Service
>Stopping Kerberos 5 Admin Server: [ OK ]
>Stopping KDC Service
>Stopping Kerberos 5 KDC: [ OK ]
>Stopping Directory Service
>Shutting down dirsrv:
> EXAMPLE-COM... [ OK ]
> PKI-IPA... [ OK ]
>
>2. Edit 'dse.ldif' files to remove null ciphers -
>
>nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>numSubordinates: 1
I think Ludwig gave a good suggestion -- instead of removing them from
the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
The way nsSSL3Ciphers attribute works, is by modifying default NSS
ciphers list, with + and - to add and remove the ciphers accordingly.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list