[Freeipa-users] FREAK Vulnerability
Christian Heimes
cheimes at redhat.com
Thu Jan 21 15:06:34 UTC 2016
On 2016-01-21 15:51, Martin Kosek wrote:
> On 01/21/2016 03:31 PM, Terry John wrote:
>> I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue
>>
>> EXPORT_RSA cipher suites supported by the remote server:
>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>
>> It seems we have to disable export TLS ciphers but I can't see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>
>> I've got
>>
>> NSSCipherSuite -all,-exp,+<the ones I want>
>>
>> I've restarted httpd and ipa but it still fails
>>
>> Is there something I have overlooked
>>
>> Thanks, Terry
Hi Terry,
the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
The native mod_nss syntax doesn't support qualifiers such as 'all' or
'exp'. You have to put in the NSS names of cipher suites. If you use the
native syntax, then mod_nss disables all ciphers suites that are not listed.
mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
instead of ',' as separator. But I advice against the alternative syntax
because it is not as well tested as the native syntax. For example '!'
prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
issue (https://fedorahosted.org/mod_nss/ticket/20).
> Hi Terry,
>
> Please check
> https://fedorahosted.org/freeipa/ticket/5589
>
> We are trying to come up with a better cipher suite right now. The fix should
> be in some of the next FreeIPA 4.3.x versions.
>
> The ticket has more details in it.
The NSSCipherSuite from
https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed
by a couple of people and has been tested with ssllabs.com. The script
nssciphersuite.py in the ticket explains why certain algorithms and
cipher suites have been removed.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160121/4da5577c/attachment.sig>
More information about the Freeipa-users
mailing list