[Freeipa-users] IPA vulnerability management SSL
Alexander Bokovoy
abokovoy at redhat.com
Wed Apr 27 17:35:02 UTC 2016
On Wed, 27 Apr 2016, Sean Hogan wrote:
>
>Hello Alexander
>
>
>I knew the below which is why I added my DS rpm version in the orig email
>which made sense to me but per 389 DS docs alloowweakcipher starts in
>1.3.3.2 in case anyone else reads this. At least thats what the docs say
>but you may know something where it actually does not work til 1.3.4.0. I
>dunno
>http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
>
>
>Additionally I want to clarify the comment 4.3.1 has this as default setup.
>Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
>stronger ssl config and that anyone who needs tighter cipher control needs
>to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.
If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.
Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list