[Freeipa-users] weak and null ciphers detected on ldap ports
Nathan Kinder
nkinder at redhat.com
Mon Sep 22 20:07:03 UTC 2014
On 09/22/2014 05:03 AM, Murty, Ajeet (US - Arlington) wrote:
> Security scan of FreeIPA server ports uncovered weak, medium and null
> ciphers on port 389 and 636. We are running ‘ipa-server-3.0.0-37.el6.i686’.
>
> How can I disable/remove these ciphers in my existing setup?
This has recently been worked on in this 389-ds-base ticket:
https://fedorahosted.org/389/ticket/47838
As mentioned in the initial description of that ticket, you can
configure the allowed ciphers in the "cn=config" entry in 389-ds-base.
You can edit this over LDAP, or by stopping 389-ds-base and editing
/etc/dirsrv/slapd-<REALM>/dse.ldif.
Thanks,
-NGK
>
>
>
> Ciphers Discovered -
>
> TLSv1
>
> EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
> Enc=RC2-CBC(40) Mac=MD5 export
>
> EXP-RC4-MD5 Kx=RSA(512) Au=RSA
> Enc=RC4(40) Mac=MD5 export
>
>
>
> TLSv1
>
> EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA
> Enc=DES-CBC(56) Mac=SHA1 export
>
> EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA
> Enc=RC4(56) Mac=SHA1 export
>
> DES-CBC-SHA Kx=RSA Au=RSA
> Enc=DES-CBC(56) Mac=SHA1
>
>
>
> TLSv1
>
> NULL-SHA Kx=RSA Au=RSA
> Enc=None Mac=SHA1
>
>
>
> Thanks,
>
> Amb.
>
>
>
>
>
>
> This message (including any attachments) contains confidential
> information intended for a specific individual and purpose, and is
> protected by law. If you are not the intended recipient, you should
> delete this message and any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, by you is strictly
> prohibited.
>
> v.E.1
>
>
>
>
>
>
>
>
>
>
More information about the Freeipa-users
mailing list