[Freeipa-users] IPA Web Portal using outdated ciphers, breaking with some clients
Martin Kosek
mkosek at redhat.com
Mon Feb 1 11:41:02 UTC 2016
On 01/29/2016 08:52 PM, Jeff Hallyburton wrote:
> Rob,
>
> Chrome is flagging this, and given the error (I've attached a copy) its
> probably due to the cipher suite (possibly specifically that it uses
> SHA1). This article has more details and is consistent with what we're
> seeing:
>
> http://security.stackexchange.com/questions/83831/google-chrome-your-connection-to-website-is-encrypted-with-obsolete-cryptograph
>
> We've also seen similar issues come up with other applications during
> penetration scans (e.g., Qualys) which is why I've noted it here.
Hello Jeff,
This is not because of TLS 1.2 would have a problem, but rather because of the
FreeIPA default selection of Apache ciphers. This is something being discussed
and fixed in this thread:
http://www.redhat.com/archives/freeipa-devel/2016-January/msg00369.html
and this ticket:
https://fedorahosted.org/freeipa/ticket/5589
After our initial tests (you can see results in the ticket), FreeIPA should no
longer receive this warning and should score "A" in the SSLabs test.
This change is expected to be released in 4.3.1 version, which is now in
development.
Martin
More information about the Freeipa-users
mailing list