[Freeipa-users] How to turn off RC4 in 389ds???

Michael Lasevich mlasevich at gmail.com
Wed Sep 23 15:50:39 UTC 2015 

No difference. It is as if this setting is being overwritten somewhere deep
in 389ds, because the "error" log correctly reflects the changes, but the
actual process does not. (and yes, I verified that the process actually
shuts down and start up again when I restart it)

ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
# encryption, config
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3Ciphers: +all
allowWeakCipher: off
nsSSL3: off
nsSSL2: off
... (skipping nssslenabledciphers's) ...
nsTLS1: on
sslVersionMax: TLS1.2

SLAPD error log got longer:

SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:28 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[23/Sep/2015:09:37:29 -0600] - SSL alert:       TLS_RSA_WITH_SEED_CBC_SHA:
enabled
[23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128 starting
up

SSLScan Output:

sslscan --no-failed localhost:636

...
 Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLS11  256 bits  AES256-SHA
    Accepted  TLS11  128 bits  AES128-SHA
    Accepted  TLS11  128 bits  DES-CBC3-SHA
    Accepted  TLS11  128 bits  RC4-SHA
    Accepted  TLS11  128 bits  RC4-MD5
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA
    Accepted  TLS12  128 bits  DES-CBC3-SHA
    Accepted  TLS12  128 bits  RC4-SHA
    Accepted  TLS12  128 bits  RC4-MD5


On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <lkrispen at redhat.com>
wrote:

>
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
> to post completely non-IPA questions to this list...).
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no
> matter what I do.
>
> I am running "CentOS Linux release 7.1.1503 (Core)"
>
> Relevant Packages:
>
> freeipa-server-4.1.4-1.el7.centos.x86_64
> 389-ds-base-1.3.3.8-1.el7.centos.x86_64
> nss-3.19.1-5.el7_1.x86_64
> openssl-1.0.1e-42.el7.9.x86_64
>
> LDAP setting (confirmed that in error.log there is no menition of RC4 in
> list of ciphers):
>
> nsSSL3Ciphers:
> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
>
> with ipa the config entry should contain:
>
> dn: cn=encryption,cn=config
> allowWeakCipher: off
> nsSSL3Ciphers: +all
>
> could you try this setting
>
> Slapd "error" log showing no ciphersuites supporting RC4:
>
> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version
> range: min: TLS1.0, max: TLS1.2
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not
> available in NSS 3.16.  Ignoring fortezza
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
> fortezza_rc4_128_sha is not available in NSS 3.16.  Ignoring
> fortezza_rc4_128_sha
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is
> not available in NSS 3.16.  Ignoring fortezza_null
> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128
> starting up
>
> But sslscan returns:
>
> $ sslscan --no-failed localhost:636
> ...
>
> Supported Server Cipher(s):
>
>     Accepted  TLSv1  256 bits  AES256-SHA
>     Accepted  TLSv1  128 bits  AES128-SHA
>     Accepted  TLSv1  128 bits  DES-CBC3-SHA
>     Accepted  TLSv1  128 bits  RC4-SHA
>     Accepted  TLSv1  128 bits  RC4-MD5
>     Accepted  TLS11  256 bits  AES256-SHA
>     Accepted  TLS11  128 bits  AES128-SHA
>     Accepted  TLS11  128 bits  DES-CBC3-SHA
>     Accepted  TLS11  128 bits  RC4-SHA
>     Accepted  TLS11  128 bits  RC4-MD5
>     Accepted  TLS12  256 bits  AES256-SHA256
>     Accepted  TLS12  256 bits  AES256-SHA
>     Accepted  TLS12  128 bits  AES128-GCM-SHA256
>     Accepted  TLS12  128 bits  AES128-SHA256
>     Accepted  TLS12  128 bits  AES128-SHA
>     Accepted  TLS12  128 bits  DES-CBC3-SHA
>     Accepted  TLS12  128 bits  RC4-SHA
>     Accepted  TLS12  128 bits  RC4-MD5
>
> ...
>
>
> I would assume the sslscan is broken, but nmap and other scanners all
> confirm that RC4 is still on.
>
> -M
>
> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
>> > OK, this is most bizarre issue,
>> >
>> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636)
>> and
>> > for the life of me cannot get it to work
>> >
>> > I have followed many nearly identical instructions to create ldif file
>> and
>> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple
>> enough -
>> > and I get it to take, and during the startup I can see the right SSL
>> Cipher
>> > Suites listed in errors.log - but when it starts and I probe it, RC4
>> > ciphers are still there. I am completely confused.
>> >
>> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4")
>> > and to old style cyphers lists(lowercase), and new style cypher
>> > lists(uppercase), and nothing seems to make any difference.
>> >
>> > Any ideas?
>> >
>> > -M
>>
>> Are you asking about standalone 389-DS or the one integrated in FreeIPA?
>> As
>> with currently supported versions of FreeIPA, RC4 ciphers should be
>> already
>> gone, AFAIK.
>>
>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687
>> https://fedorahosted.org/freeipa/ticket/4653
>>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/b2e066c8/attachment.htm>

More information about the Freeipa-users mailing list