[Freeipa-users] IPA vulnerability management SSL

Sean Hogan schogan at us.ibm.com
Wed Apr 27 17:22:32 UTC 2016 

Hello Alexander


I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this.  At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0.  I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html


Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

Sean Hogan






From:	Alexander Bokovoy <abokovoy at redhat.com>
To:	Sean Hogan/Durham/IBM at IBMUS
Cc:	freeipa-users <freeipa-users at redhat.com>
Date:	04/26/2016 11:52 PM
Subject:	Re: [Freeipa-users] IPA vulnerability management SSL



On Tue, 26 Apr 2016, Sean Hogan wrote:
>
>
>Hello,
>
>  We currently have 7 ipa servers in multi master running:
>
>ipa-server-3.0.0-47.el6_7.1.x86_64
>389-ds-base-1.2.11.15-68.el6_7.x86_64
>
>Tenable is showing the use of weak ciphers along with freak
>vulnerabilities.  I have followed
>https://access.redhat.com/solutions/675183 however issues remain in the
>ciphers being used.
$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.


>
>I have also modified dse.ldif with the following from
>
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

>
>With ipa stopped I modified dse with  below
>
>odifyTimestamp: 20150420131906Z
>nsSSL3Ciphers: +all,-rsa_null_sha
>allowWeakCipher: off
>numSubordinates: 1
>
>I turn on ipa and get
>Starting Directory Service
>Starting dirsrv:
>    PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
>"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
>
>So I go back into the file and allowWeakCipher now shows allowweakcipher
>(caps for W and C are now lower case)
attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

>
>nss.conf
>
>
># new config to stop using weak ciphers.
>NSSCipherSuite
>-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha

>   SSL Protocol:
>#   Cryptographic protocols that provide communication security.
>#   NSS handles the specified protocols as "ranges", and automatically
>#   negotiates the use of the strongest protocol for a connection starting
>#   with the maximum specified protocol and downgrading as necessary to
the
>#   minimum specified protocol that can be used between two processes.
>#   Since all protocol ranges are completely inclusive, and no protocol in
>the
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
>
>server.xml
>
>               clientAuth="true"
>               sslOptions="ssl2=off,ssl3=off,tls=true"
>
>ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"

>
>ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

>
>
>
>
>
>Is there a config for this version of IPA/DS somewhere that will pass
>poodle, freak, null ciphers scanning or only allow strong ciphers?
FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on


Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.
--
/ Alexander Bokovoy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/3952c54f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/3952c54f/attachment.gif>

More information about the Freeipa-users mailing list