[Freeipa-users] How to turn off RC4 in 389ds???
Michael Lasevich
mlasevich at gmail.com
Wed Sep 23 15:50:39 UTC 2015
No difference. It is as if this setting is being overwritten somewhere deep
in 389ds, because the "error" log correctly reflects the changes, but the
actual process does not. (and yes, I verified that the process actually
shuts down and start up again when I restart it)
ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3Ciphers: +all
allowWeakCipher: off
nsSSL3: off
nsSSL2: off
... (skipping nssslenabledciphers's) ...
nsTLS1: on
sslVersionMax: TLS1.2
SLAPD error log got longer:
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting
up
SSLScan Output:
sslscan --no-failed localhost:636
...
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 128 bits DES-CBC3-SHA
Accepted TLS11 128 bits RC4-SHA
Accepted TLS11 128 bits RC4-MD5
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
Accepted TLS12 128 bits DES-CBC3-SHA
Accepted TLS12 128 bits RC4-SHA
Accepted TLS12 128 bits RC4-MD5
On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <lkrispen at redhat.com>
wrote:
>
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
> to post completely non-IPA questions to this list...).
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no
> matter what I do.
>
> I am running "CentOS Linux release 7.1.1503 (Core)"
>
> Relevant Packages:
>
> freeipa-server-4.1.4-1.el7.centos.x86_64
> 389-ds-base-1.3.3.8-1.el7.centos.x86_64
> nss-3.19.1-5.el7_1.x86_64
> openssl-1.0.1e-42.el7.9.x86_64
>
> LDAP setting (confirmed that in error.log there is no menition of RC4 in
> list of ciphers):
>
> nsSSL3Ciphers:
> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
>
> with ipa the config entry should contain:
>
> dn: cn=encryption,cn=config
> allowWeakCipher: off
> nsSSL3Ciphers: +all
>
> could you try this setting
>
> Slapd "error" log showing no ciphersuites supporting RC4:
>
> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version
> range: min: TLS1.0, max: TLS1.2
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not
> available in NSS 3.16. Ignoring fortezza
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
> fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring
> fortezza_rc4_128_sha
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is
> not available in NSS 3.16. Ignoring fortezza_null
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128
> starting up
>
> But sslscan returns:
>
> $ sslscan --no-failed localhost:636
> ...
>
> Supported Server Cipher(s):
>
> Accepted TLSv1 256 bits AES256-SHA
> Accepted TLSv1 128 bits AES128-SHA
> Accepted TLSv1 128 bits DES-CBC3-SHA
> Accepted TLSv1 128 bits RC4-SHA
> Accepted TLSv1 128 bits RC4-MD5
> Accepted TLS11 256 bits AES256-SHA
> Accepted TLS11 128 bits AES128-SHA
> Accepted TLS11 128 bits DES-CBC3-SHA
> Accepted TLS11 128 bits RC4-SHA
> Accepted TLS11 128 bits RC4-MD5
> Accepted TLS12 256 bits AES256-SHA256
> Accepted TLS12 256 bits AES256-SHA
> Accepted TLS12 128 bits AES128-GCM-SHA256
> Accepted TLS12 128 bits AES128-SHA256
> Accepted TLS12 128 bits AES128-SHA
> Accepted TLS12 128 bits DES-CBC3-SHA
> Accepted TLS12 128 bits RC4-SHA
> Accepted TLS12 128 bits RC4-MD5
>
> ...
>
>
> I would assume the sslscan is broken, but nmap and other scanners all
> confirm that RC4 is still on.
>
> -M
>
> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
>> > OK, this is most bizarre issue,
>> >
>> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636)
>> and
>> > for the life of me cannot get it to work
>> >
>> > I have followed many nearly identical instructions to create ldif file
>> and
>> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple
>> enough -
>> > and I get it to take, and during the startup I can see the right SSL
>> Cipher
>> > Suites listed in errors.log - but when it starts and I probe it, RC4
>> > ciphers are still there. I am completely confused.
>> >
>> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4")
>> > and to old style cyphers lists(lowercase), and new style cypher
>> > lists(uppercase), and nothing seems to make any difference.
>> >
>> > Any ideas?
>> >
>> > -M
>>
>> Are you asking about standalone 389-DS or the one integrated in FreeIPA?
>> As
>> with currently supported versions of FreeIPA, RC4 ciphers should be
>> already
>> gone, AFAIK.
>>
>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687
>> https://fedorahosted.org/freeipa/ticket/4653
>>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/b2e066c8/attachment.htm>
More information about the Freeipa-users
mailing list