[Freeipa-users] FREAK Vulnerability

Rob Crittenden rcritten at redhat.com
Thu Jan 21 16:58:39 UTC 2016 

Christian Heimes wrote:
> On 2016-01-21 15:51, Martin Kosek wrote:
>> On 01/21/2016 03:31 PM, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue
>>>
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>
>>> It seems we have to disable export  TLS ciphers but I can't see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>
>>> I've got
>>>
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>
>>> I've restarted httpd and ipa but it still fails
>>>
>>> Is there something I have overlooked
>>>
>>> Thanks, Terry
> 
> Hi Terry,
> 
> the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
> different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
> The native mod_nss syntax doesn't support qualifiers such as 'all' or
> 'exp'. You have to put in the NSS names of cipher suites. If you use the
> native syntax, then mod_nss disables all ciphers suites that are not listed.
> 
> mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
> instead of ',' as separator. But I advice against the alternative syntax
> because it is not as well tested as the native syntax. For example '!'
> prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
> issue (https://fedorahosted.org/mod_nss/ticket/20).

By that argument one would never use any software because of previous
bugs. It should work fine now, but it there are some differences, but
note that the F-22 fix hasn't been pushed to stable yet
(https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aa4dd4f3a).

+ doesn't add ciphers, it only re-orders them so is a no-op since NSS
doesn't allow cipher re-ordering.

Given you just disabled all ciphers with -ALL, -EXP is a no-op. If you
want to ban anything from adding in export ciphers later use !EXP instead.

The string is also case-sensitive and needs to be all upper-case.

But yeah, I'd check out the referenced ticket and use those as your default.

rob

> 
>> Hi Terry,
>>
>> Please check
>> https://fedorahosted.org/freeipa/ticket/5589
>>
>> We are trying to come up with a better cipher suite right now. The fix should
>> be in some of the next FreeIPA 4.3.x versions.
>>
>> The ticket has more details in it.
> 
> The NSSCipherSuite from
> https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed
> by a couple of people and has been tested with ssllabs.com. The script
> nssciphersuite.py​ in the ticket explains why certain algorithms and
> cipher suites have been removed.
> 
> Christian
> 
> 
>

More information about the Freeipa-users mailing list