[Freeipa-users] weak and null ciphers detected on ldap ports
Ludwig Krispenz
lkrispen at redhat.com
Wed Oct 8 15:49:14 UTC 2014
Hi,
I did a test with 1.2.11.15-33
first test:
nsSSL3Ciphers: +all
running nmap gave:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_NULL_SHA - broken <<<<<<<<<<<<<<
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: broken
next test:
nsSSL3Ciphers: +all,-rsa_null_sha
nmap result:
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - strong
| SSL_RSA_FIPS_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA - weak
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA - weak
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: weak
maybe you can try adding "-rsa_null_sha" to your nSSL3cipher config.
On 10/08/2014 09:10 AM, Murty, Ajeet (US - Arlington) wrote:
> Understood. Thank you for clarifying all that.
> I believe my best options at this point are to rebuild my environment on CentOS 7, enable COPR repo, and get the latest version of FreeIPA 4.x.
> I will hold out for a few more weeks to see if someone at RedHat can provide a fix/patch for the older version. Fingers crossed.
>
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Wednesday, October 08, 2014 2:01 AM
> To: Murty, Ajeet (US - Arlington)
> Cc: Rob Crittenden; Rich Megginson; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>
> On Wed, 08 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>> Any ideas on what else I can try here?
>> Also, can we expect the new IPA and DS to be available in the CentOS/YUM repository in the next few weeks/months?
> In general, FreeIPA team doesn't do backports to older versions due to
> tight cooperation with other components when introducing new features.
> We depend a lot on changes in 389-ds, Dogtag, MIT Kerberos, and SSSD, at least,
> but also in Samba and other components, including Linux kernel.
>
> Backporting all the changes to older releases of certain distributions
> is left to distribution maintainers. For Fedora we do have some freedom
> on what can be done and try to maintain availability of FreeIPA releases
> on two current versions but sometimes it is impossible due to update
> polices -- Fedora 20 got 4.0.x upgrade via COPR repository while we are
> cleaning up Fedora 21 for 4.1 support.
>
> In case of Red Hat Enterprise Linux releases, Red Hat itself (I cannot
> speak for the company) makes decisions what to support and these
> decisions are also based on certain stability promises for ABI, see
> https://access.redhat.com/solutions/5154 for details. Some of components
> FreeIPA depends on change their ABI and therefore the changes can only
> be introduced in newer major releases. When these changes occurred, we
> coordinated with Red Hat engineering teams to make sure most important
> changes were folded into RHEL 7.0 release to provide a base for FreeIPA
> integration.
>
> For CentOS, as it tracks corresponding Red Hat Enterprise Linux
> releases, situation is similar. For packages that are not in RHEL/CentOS
> releases there are means to provide them through a side channels, like
> EPEL, but EPEL's policy prevents from packaging something that is
> available through the main channels for the release.
>
> We use COPR repositories to make possible to install newer FreeIPA
> versions on RHEL 7/CentOS 7/Fedora 20. However, these packages have no
> official support from Red Hat or CentOS project. They are FreeIPA
> upstream effort to make our releases more easily testable. For any issues
> found through COPR repositories you are welcome to file tickets to
> FreeIPA issue tracker at https://fedorahosted.org/freeipa/.
>
>
>> Thanks again for all your help.
>>
>>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Murty, Ajeet (US - Arlington)
>> Sent: Tuesday, October 07, 2014 1:21 PM
>> To: Alexander Bokovoy
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> I removed the new lines, looks like this now -
>>
>> modifyTimestamp: 20140915221826Z
>> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>> a_export1024_with_des_cbc_sha
>> numSubordinates: 1
>>
>> I am still seeing the null ciphers in my scan results.
>>
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Tuesday, October 07, 2014 1:08 PM
>> To: Murty, Ajeet (US - Arlington)
>> Cc: Rob Crittenden; Rich Megginson; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>
>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>> I shutdown IPA and modified both dse ldif files to look like this -
>>>
>>> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with_des_cbc_sha
>>>
>>>
>>> Then, when I try to start up IPA, I get this error message -
>>>
>>> [root]# /etc/init.d/ipa start
>>> Starting Directory Service
>>> Starting dirsrv:
>>> EXAMPLE-COM...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>> The lines above suggest that you actually separated nsSSL3Ciphers line
> >from the entry itself. At least in my case it looks like this:
>> dn: cn=encryption,cn=config
>> objectClass: top
>> objectClass: nsEncryptionConfig
>> cn: encryption
>> nsSSLSessionTimeout: 0
>> nsSSLClientAuth: allowed
>> nsSSL2: off
>> nsSSL3: off
>> creatorsName: cn=server,cn=plugins,cn=config
>> modifiersName: cn=directory manager
>> createTimestamp: 20141001151245Z
>> modifyTimestamp: 20141001151430Z
>> nsSSL3Ciphers: +all
>> allowWeakCipher: off
>> numSubordinates: 1
>>
>> note that it is part of cn=encryption,cn=config entry. You cannot
>> separate attributes within the entry with empty lines because empty line
>> finishes current entry and starts another one.
>>
>>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif was empty or could not be parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 116) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with ...]
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 121) in file /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
>>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
>>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
>>> [FAILED]
>>> PKI-IPA...[07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [nsSSL3Ciphers] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] - The entry [numSubordinates] in the configfile /etc/dirsrv/slapd-PKI-IPA/dse.ldif was empty or could not be parsed
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 110) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>>> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
>>> rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
>>> a_export1024_with ...]
>>> [07/Oct/2014:12:49:59 -0400] - str2entry_dupcheck: entry has no dn
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Parsing entry (lineno: 115) in file /etc/dirsrv/slapd-PKI-IPA/dse.ldif failed.
>>> [07/Oct/2014:12:49:59 -0400] dse_read_one_file - Invalid section [numSubordinates: 1]
>>> [07/Oct/2014:12:49:59 -0400] dse - Could not load config file [dse.ldif]
>>> [07/Oct/2014:12:49:59 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
>>> [FAILED]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.
>>>
>>> v.E.1
>>>
>>>
>>> -----Original Message-----
>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>> Sent: Tuesday, October 07, 2014 12:43 PM
>>> To: Murty, Ajeet (US - Arlington)
>>> Cc: Rob Crittenden; Rich Megginson; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] weak and null ciphers detected on ldap ports
>>>
>>> On Tue, 07 Oct 2014, Murty, Ajeet (US - Arlington) wrote:
>>>> I was shutting down IPA before making any changes -
>>>>
>>>> 1. Shutdown IPA -
>>>>
>>>> [root]# /etc/init.d/ipa stop
>>>> Stopping CA Service
>>>> Stopping pki-ca: [ OK ]
>>>> Stopping HTTP Service
>>>> Stopping httpd: [ OK ]
>>>> Stopping MEMCACHE Service
>>>> Stopping ipa_memcached: [ OK ]
>>>> Stopping KPASSWD Service
>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>> Stopping KDC Service
>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>> Stopping Directory Service
>>>> Shutting down dirsrv:
>>>> EXAMPLE-COM... [ OK ]
>>>> PKI-IPA... [ OK ]
>>>>
>>>> 2. Edit 'dse.ldif' files to remove null ciphers -
>>>>
>>>> nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+
>>>> rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128
>>>> _sha,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
>>>> numSubordinates: 1
>>> I think Ludwig gave a good suggestion -- instead of removing them from
>>> the list, prefix the *_null ciphers with -, i.e. -rsa_null_md5, -fortezza_null.
>>> The way nsSSL3Ciphers attribute works, is by modifying default NSS
>>> ciphers list, with + and - to add and remove the ciphers accordingly.
>>>
>>> --
>>> / Alexander Bokovoy
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list