[Freeipa-users] How to turn off RC4 in 389ds???
Michael Lasevich
mlasevich at gmail.com
Sat Sep 26 07:20:09 UTC 2015
That did it.
Thank you.
On Thu, Sep 24, 2015 at 12:59 AM, Martin Kosek <mkosek at redhat.com> wrote:
> Hello Michael,
>
> It is possible that this problem comes from obsolete package in the
> mkosek/freeipa COPR repo, which was fixed in Fedora/RHEL, but not there.
>
> Can you please try to update the 389-ds-base from
>
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/
>
> ? I rebuilt the latest F21 389-ds-base to the repo, there were some
> related fixes.
>
> Thanks,
> Martin
>
> On 09/23/2015 05:50 PM, Michael Lasevich wrote:
> > No difference. It is as if this setting is being overwritten somewhere
> deep
> > in 389ds, because the "error" log correctly reflects the changes, but the
> > actual process does not. (and yes, I verified that the process actually
> > shuts down and start up again when I restart it)
> >
> > ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
> > # encryption, config
> > dn: cn=encryption,cn=config
> > objectClass: top
> > objectClass: nsEncryptionConfig
> > cn: encryption
> > nsSSLSessionTimeout: 0
> > nsSSLClientAuth: allowed
> > sslVersionMin: TLS1.0
> > nsSSL3Ciphers: +all
> > allowWeakCipher: off
> > nsSSL3: off
> > nsSSL2: off
> > ... (skipping nssslenabledciphers's) ...
> > nsTLS1: on
> > sslVersionMax: TLS1.2
> >
> > SLAPD error log got longer:
> >
> > SSL Initialization - Configured SSL version range: min: TLS1.0, max:
> TLS1.2
> > [23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:28 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
> > [23/Sep/2015:09:37:29 -0600] - SSL alert:
> TLS_RSA_WITH_SEED_CBC_SHA:
> > enabled
> > [23/Sep/2015:09:37:29 -0600] - 389-Directory/1.3.3.8 B2015.040.128
> starting
> > up
> >
> > SSLScan Output:
> >
> > sslscan --no-failed localhost:636
> >
> > ...
> > Supported Server Cipher(s):
> > Accepted TLSv1 256 bits AES256-SHA
> > Accepted TLSv1 128 bits AES128-SHA
> > Accepted TLSv1 128 bits DES-CBC3-SHA
> > Accepted TLSv1 128 bits RC4-SHA
> > Accepted TLSv1 128 bits RC4-MD5
> > Accepted TLS11 256 bits AES256-SHA
> > Accepted TLS11 128 bits AES128-SHA
> > Accepted TLS11 128 bits DES-CBC3-SHA
> > Accepted TLS11 128 bits RC4-SHA
> > Accepted TLS11 128 bits RC4-MD5
> > Accepted TLS12 256 bits AES256-SHA256
> > Accepted TLS12 256 bits AES256-SHA
> > Accepted TLS12 128 bits AES128-GCM-SHA256
> > Accepted TLS12 128 bits AES128-SHA256
> > Accepted TLS12 128 bits AES128-SHA
> > Accepted TLS12 128 bits DES-CBC3-SHA
> > Accepted TLS12 128 bits RC4-SHA
> > Accepted TLS12 128 bits RC4-MD5
> >
> >
> > On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <lkrispen at redhat.com>
> > wrote:
> >
> >>
> >> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
> >>
> >> Yes, I am talking about 389ds as is integrated in FreeIPA (would be
> silly
> >> to post completely non-IPA questions to this list...).
> >> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636
> no
> >> matter what I do.
> >>
> >> I am running "CentOS Linux release 7.1.1503 (Core)"
> >>
> >> Relevant Packages:
> >>
> >> freeipa-server-4.1.4-1.el7.centos.x86_64
> >> 389-ds-base-1.3.3.8-1.el7.centos.x86_64
> >> nss-3.19.1-5.el7_1.x86_64
> >> openssl-1.0.1e-42.el7.9.x86_64
> >>
> >> LDAP setting (confirmed that in error.log there is no menition of RC4 in
> >> list of ciphers):
> >>
> >> nsSSL3Ciphers:
> >>
> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
> >>
> >> with ipa the config entry should contain:
> >>
> >> dn: cn=encryption,cn=config
> >> allowWeakCipher: off
> >> nsSSL3Ciphers: +all
> >>
> >> could you try this setting
> >>
> >> Slapd "error" log showing no ciphersuites supporting RC4:
> >>
> >> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version
> >> range: min: TLS1.0, max: TLS1.2
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not
> >> available in NSS 3.16. Ignoring fortezza
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite
> >> fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring
> >> fortezza_rc4_128_sha
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is
> >> not available in NSS 3.16. Ignoring fortezza_null
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - SSL alert:
> >> TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> >> [23/Sep/2015:08:51:04 -0600] - 389-Directory/1.3.3.8 B2015.040.128
> >> starting up
> >>
> >> But sslscan returns:
> >>
> >> $ sslscan --no-failed localhost:636
> >> ...
> >>
> >> Supported Server Cipher(s):
> >>
> >> Accepted TLSv1 256 bits AES256-SHA
> >> Accepted TLSv1 128 bits AES128-SHA
> >> Accepted TLSv1 128 bits DES-CBC3-SHA
> >> Accepted TLSv1 128 bits RC4-SHA
> >> Accepted TLSv1 128 bits RC4-MD5
> >> Accepted TLS11 256 bits AES256-SHA
> >> Accepted TLS11 128 bits AES128-SHA
> >> Accepted TLS11 128 bits DES-CBC3-SHA
> >> Accepted TLS11 128 bits RC4-SHA
> >> Accepted TLS11 128 bits RC4-MD5
> >> Accepted TLS12 256 bits AES256-SHA256
> >> Accepted TLS12 256 bits AES256-SHA
> >> Accepted TLS12 128 bits AES128-GCM-SHA256
> >> Accepted TLS12 128 bits AES128-SHA256
> >> Accepted TLS12 128 bits AES128-SHA
> >> Accepted TLS12 128 bits DES-CBC3-SHA
> >> Accepted TLS12 128 bits RC4-SHA
> >> Accepted TLS12 128 bits RC4-MD5
> >>
> >> ...
> >>
> >>
> >> I would assume the sslscan is broken, but nmap and other scanners all
> >> confirm that RC4 is still on.
> >>
> >> -M
> >>
> >> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <mkosek at redhat.com>
> wrote:
> >>
> >>> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
> >>>> OK, this is most bizarre issue,
> >>>>
> >>>> I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636)
> >>> and
> >>>> for the life of me cannot get it to work
> >>>>
> >>>> I have followed many nearly identical instructions to create ldif file
> >>> and
> >>>> change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple
> >>> enough -
> >>>> and I get it to take, and during the startup I can see the right SSL
> >>> Cipher
> >>>> Suites listed in errors.log - but when it starts and I probe it, RC4
> >>>> ciphers are still there. I am completely confused.
> >>>>
> >>>> I tried setting "nsSSL3Ciphers" to "default" (which does not have
> "RC4")
> >>>> and to old style cyphers lists(lowercase), and new style cypher
> >>>> lists(uppercase), and nothing seems to make any difference.
> >>>>
> >>>> Any ideas?
> >>>>
> >>>> -M
> >>>
> >>> Are you asking about standalone 389-DS or the one integrated in
> FreeIPA?
> >>> As
> >>> with currently supported versions of FreeIPA, RC4 ciphers should be
> >>> already
> >>> gone, AFAIK.
> >>>
> >>> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:
> >>>
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1154687
> >>> https://fedorahosted.org/freeipa/ticket/4653
> >>>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >>
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150926/76071274/attachment.htm>
More information about the Freeipa-users
mailing list