[Freeipa-users] IPA vulnerability management SSL

Sean Hogan schogan at us.ibm.com
Thu Apr 28 15:20:44 UTC 2016 

Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start.  Go back into
dse.ldif and modify til it comes back up.




Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: schogan at us.ibm.com | Tel 919 486 1397









From:	Ludwig Krispenz <lkrispen at redhat.com>
To:	freeipa-users at redhat.com, Noriko Hosoi <nhosoi at redhat.com>
Date:	04/28/2016 04:46 AM
Subject:	Re: [Freeipa-users] IPA vulnerability management SSL
Sent by:	freeipa-users-bounces at redhat.com



wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:
>
> On 04/28/2016 12:06 PM, Martin Kosek wrote:
>> On 04/28/2016 01:23 AM, Sean Hogan wrote:
>>> Hi Martin,
>>>
>>> No joy on placing - in front of the RC4s
>>>
>>>
>>> I modified my nss.conf to now read
>>> # SSL 3 ciphers. SSL 2 is disabled by default.
>>> NSSCipherSuite
>>>
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

>>>
>>>
>>> # SSL Protocol:
>>> # Cryptographic protocols that provide communication security.
>>> # NSS handles the specified protocols as "ranges", and automatically
>>> # negotiates the use of the strongest protocol for a connection
>>> starting
>>> # with the maximum specified protocol and downgrading as necessary
>>> to the
>>> # minimum specified protocol that can be used between two processes.
>>> # Since all protocol ranges are completely inclusive, and no
>>> protocol in the
>>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>>>
>>> dse.ldif
>>>
>>> dn: cn=encryption,cn=config
>>> objectClass: top
>>> objectClass: nsEncryptionConfig
>>> cn: encryption
>>> nsSSLSessionTimeout: 0
>>> nsSSLClientAuth: allowed
>>> nsSSL2: off
>>> nsSSL3: off
>>> creatorsName: cn=server,cn=plugins,cn=config
>>> modifiersName: cn=directory manager
>>> createTimestamp: 20150420131850Z
>>> modifyTimestamp: 20150420131906Z
>>> nsSSL3Ciphers:
>>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
>>> _56_sha,-tls_dhe_dss_1024_rc4_sha
>>> numSubordinates: 1
>>>
>>>
>>>
>>> But I still get this with nmap.. I thought the above would remove
>>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the
>>> fact that I am not
>>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really
>>> understanding
>>> where it is coming from cept the +all from DS but the - should be
>>> negating that?
>>>
>>> Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
>>> 2016-04-27 17:37 EDT
>>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
>>> Host is up (0.000086s latency).
>>> PORT STATE SERVICE
>>> 636/tcp open ldapssl
>>> | ssl-enum-ciphers:
>>> | TLSv1.2
>>> | Ciphers (13)
>>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA
>>> | TLS_RSA_WITH_AES_128_CBC_SHA256
>>> | TLS_RSA_WITH_AES_128_GCM_SHA256
>>> | TLS_RSA_WITH_AES_256_CBC_SHA
>>> | TLS_RSA_WITH_AES_256_CBC_SHA256
>>> | TLS_RSA_WITH_DES_CBC_SHA
>>> | TLS_RSA_WITH_RC4_128_MD5
>>> | TLS_RSA_WITH_RC4_128_SHA
>>> | Compressors (1)
>>> |_ uncompressed
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
>>>
>>>
>>>
>>> It seems no matter what config I put into nss.conf or dse.ldif
>>> nothing changes
>>> with my nmap results. Is there supposed to be a be a section to add
>>> TLS ciphers
>>> instead of SSL
>> Not sure now, CCing Ludwig who was involved in the original RHEL-6
>> implementation.
> If I remember correctly we did the change in default ciphers and the
> option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
> adding Noriko to get confirmation.
>
> but the below comments about changing ciphers in dse.ldif could help
> in using the "old" way to set ciphers
>> Just to be sure, when you are modifying dse.ldif, the procedure
>> should be always following:
>>
>> 1) Stop Directory Server service
>> 2) Modify dse.ldif
>> 3) Start Directory Server service
>>
>> Otherwise it won't get applied and will get overwritten later.
>>
>> In any case, the ciphers with RHEL-6 should be secure enough, the
>> ones in
>> FreeIPA 4.3.1 should be even better. This is for example an nmap
>> taken on
>> FreeIPA Demo instance that runs on FreeIPA 4.3.1:
>>
>> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org
>>
>> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
>> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
>> Host is up (0.18s latency).
>> PORT    STATE SERVICE
>> 636/tcp open  ldapssl
>> | ssl-enum-ciphers:
>> |   TLSv1.2:
>> |     ciphers:
>> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
>> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
>> |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
>> |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
>> |     compressors:
>> |       NULL
>> |     cipher preference: server
>> |_  least strength: A
>>
>> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds
>>
>> Martin
>

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
Michael O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160428/a8552d1a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0D263737.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160428/a8552d1a/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0D812637.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160428/a8552d1a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160428/a8552d1a/attachment-0001.gif>

More information about the Freeipa-users mailing list