[Freeipa-users] IPA vulnerability management SSL

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 27 06:52:15 UTC 2016 

On Tue, 26 Apr 2016, Sean Hogan wrote:
>
>
>Hello,
>
>  We currently have 7 ipa servers in multi master running:
>
>ipa-server-3.0.0-47.el6_7.1.x86_64
>389-ds-base-1.2.11.15-68.el6_7.x86_64
>
>Tenable is showing the use of weak ciphers along with freak
>vulnerabilities.  I have followed
>https://access.redhat.com/solutions/675183 however issues remain in the
>ciphers being used.
$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.


>
>I have also modified dse.ldif with the following from
>http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports
>
>With ipa stopped I modified dse with  below
>
>odifyTimestamp: 20150420131906Z
>nsSSL3Ciphers: +all,-rsa_null_sha
>allowWeakCipher: off
>numSubordinates: 1
>
>I turn on ipa and get
>Starting Directory Service
>Starting dirsrv:
>    PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
>"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
>
>So I go back into the file and allowWeakCipher now shows allowweakcipher
>(caps for W and C are now lower case)
attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

>
>nss.conf
>
>
># new config to stop using weak ciphers.
>NSSCipherSuite
>-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
>   SSL Protocol:
>#   Cryptographic protocols that provide communication security.
>#   NSS handles the specified protocols as "ranges", and automatically
>#   negotiates the use of the strongest protocol for a connection starting
>#   with the maximum specified protocol and downgrading as necessary to the
>#   minimum specified protocol that can be used between two processes.
>#   Since all protocol ranges are completely inclusive, and no protocol in
>the
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>
>server.xml
>
>               clientAuth="true"
>               sslOptions="ssl2=off,ssl3=off,tls=true"
>
>ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
>
>ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>
>tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>
>
>
>
>
>Is there a config for this version of IPA/DS somewhere that will pass
>poodle, freak, null ciphers scanning or only allow strong ciphers?
FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on

Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list