[Freeipa-users] IPA vulnerability management SSL

Ludwig Krispenz lkrispen at redhat.com
Thu Apr 28 11:26:04 UTC 2016 

On 04/28/2016 12:06 PM, Martin Kosek wrote:
> On 04/28/2016 01:23 AM, Sean Hogan wrote:
>> Hi Martin,
>>
>> No joy on placing - in front of the RC4s
>>
>>
>> I modified my nss.conf to now read
>> # SSL 3 ciphers. SSL 2 is disabled by default.
>> NSSCipherSuite
>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
>>
>> # SSL Protocol:
>> # Cryptographic protocols that provide communication security.
>> # NSS handles the specified protocols as "ranges", and automatically
>> # negotiates the use of the strongest protocol for a connection starting
>> # with the maximum specified protocol and downgrading as necessary to the
>> # minimum specified protocol that can be used between two processes.
>> # Since all protocol ranges are completely inclusive, and no protocol in the
>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>
>> dse.ldif
>>
>> dn: cn=encryption,cn=config
>> objectClass: top
>> objectClass: nsEncryptionConfig
>> cn: encryption
>> nsSSLSessionTimeout: 0
>> nsSSLClientAuth: allowed
>> nsSSL2: off
>> nsSSL3: off
>> creatorsName: cn=server,cn=plugins,cn=config
>> modifiersName: cn=directory manager
>> createTimestamp: 20150420131850Z
>> modifyTimestamp: 20150420131906Z
>> nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
>> _56_sha,-tls_dhe_dss_1024_rc4_sha
>> numSubordinates: 1
>>
>>
>>
>> But I still get this with nmap.. I thought the above would remove
>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not
>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
>> where it is coming from cept the +all from DS but the - should be negating that?
>>
>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-27 17:37 EDT
>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
>> Host is up (0.000086s latency).
>> PORT STATE SERVICE
>> 636/tcp open ldapssl
>> | ssl-enum-ciphers:
>> | TLSv1.2
>> | Ciphers (13)
>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
>> | TLS_RSA_WITH_AES_128_CBC_SHA
>> | TLS_RSA_WITH_AES_128_CBC_SHA256
>> | TLS_RSA_WITH_AES_128_GCM_SHA256
>> | TLS_RSA_WITH_AES_256_CBC_SHA
>> | TLS_RSA_WITH_AES_256_CBC_SHA256
>> | TLS_RSA_WITH_DES_CBC_SHA
>> | TLS_RSA_WITH_RC4_128_MD5
>> | TLS_RSA_WITH_RC4_128_SHA
>> | Compressors (1)
>> |_ uncompressed
>>
>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
>>
>>
>>
>> It seems no matter what config I put into nss.conf or dse.ldif nothing changes
>> with my nmap results. Is there supposed to be a be a section to add TLS ciphers
>> instead of SSL
> Not sure now, CCing Ludwig who was involved in the original RHEL-6
> implementation.
If I remember correctly we did the change in default ciphers and the 
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, 
adding Noriko to get confirmation.

but the below comments about changing ciphers in dse.ldif could help in 
using the "old" way to set ciphers
> Just to be sure, when you are modifying dse.ldif, the procedure
> should be always following:
>
> 1) Stop Directory Server service
> 2) Modify dse.ldif
> 3) Start Directory Server service
>
> Otherwise it won't get applied and will get overwritten later.
>
> In any case, the ciphers with RHEL-6 should be secure enough, the ones in
> FreeIPA 4.3.1 should be even better. This is for example an nmap taken on
> FreeIPA Demo instance that runs on FreeIPA 4.3.1:
>
> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org
>
> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
> Host is up (0.18s latency).
> PORT    STATE SERVICE
> 636/tcp open  ldapssl
> | ssl-enum-ciphers:
> |   TLSv1.2:
> |     ciphers:
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> |     compressors:
> |       NULL
> |     cipher preference: server
> |_  least strength: A
>
> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds
>
> Martin

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

More information about the Freeipa-users mailing list