[Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thu Nov 5 03:22:21 UTC 2015

Prasun Gera wrote:
> Thanks for the ticket information. I would still be interested in
> configuring mod_nss properly (irrespective of whether the certs are ipa
> generated or 3rd party). These are the worrying notes from ssllabs test:
> 
> The server supports only older protocols, but not the current best TLS
> 1.2. Grade capped to C.

TLSv1.2 support in mod_nss will be available in RHEL 7.2. The version of
mod_nss in 7.1 only supports up to v1.1.

> This server accepts the RC4 cipher, which is weak. Grade capped to B.

You'll need to manually set your own cipher list excluding RC4 ciphers.
It depends on how compatible you want to be with older clients, but
perhaps something like this:

NSSCipherSuite
+rsa_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_3des_sha

> The server does not support Forward Secrecy with the reference browsers.

This will go away when you enable the ECDHE ciphers.

Changes to this file should survive upgrades.

rob

> 
> 
> On Wed, Nov 4, 2015 at 4:44 PM, Fraser Tweedale <ftweedal at redhat.com
> <mailto:ftweedal at redhat.com>> wrote:
> 
>     On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote:
>     > I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm
>     > using a stock configuration which uses the certs signed by ipa's CA for the
>     > webui. This is mostly for convenience since it manages renewals seamlessly.
>     > This, however, requires users to add the CA as trusted to their browsers. A
>     > promising alternative to this is https://letsencrypt.org/, which issues
>     > browser trusted certs, and will manage auto renewals too (in the future).
>     > As a feature request, it would be nice to have closer integration between
>     > ipa and the letsencrypt client which would make managing certs simple. I'm
>     > about to set this up manually right now using the external ssl certs guide.
>     >
>     Let's Encrypt is on our radar.  I like the idea of being able to
>     install FreeIPA with publicly-trusted certs for HTTP and LDAP from
>     the beginning.  This would require some work in ipa-server-install
>     in addition to certmonger support and a good, stable Let's Encrypt /
>     ACME client implementation for Apache on Fedora.
> 
>     Installing publicly-trusted HTTP / LDAP certs is a common activity
>     so I filed a ticket: https://fedorahosted.org/freeipa/ticket/5431
> 
>     Cheers,
>     Fraser
> 
>     > Secondly, since the webui uses mod_nss, how would one set it up to
>     prefer
>     > security over compatibility with older clients ? The vast majority of
>     > documentation online (for eg.
>     > https://mozilla.github.io/server-side-tls/ssl-config-generator/)
>     is about
>     > mod_ssl and I think the configuration doesn't transfer directly to
>     mod_nss.
>     > Since this is the only web facing component, I would like to set
>     it up to
>     > use stringent requirements. Right now, a test on
>     > https://www.ssllabs.com/ssltest/ and https://weakdh.org/sysadmin.html
>     > identifies
>     > several issues. Since these things are not really my area of
>     expertise, I
>     > would like some documentation regarding this. Also, would manually
>     > modifying any of the config files be overwritten by a yum update ?
> 
>     > --
>     > Manage your subscription for the Freeipa-users mailing list:
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>     > Go to http://freeipa.org for more info on the project
> 
> 
> 
> 