[Freeipa-users] FREAK Vulnerability
Rob Crittenden
rcritten at redhat.com
Thu Jan 21 16:58:39 UTC 2016
Christian Heimes wrote:
> On 2016-01-21 15:51, Martin Kosek wrote:
>> On 01/21/2016 03:31 PM, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue
>>>
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>
>>> It seems we have to disable export TLS ciphers but I can't see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>>
>>> I've got
>>>
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>
>>> I've restarted httpd and ipa but it still fails
>>>
>>> Is there something I have overlooked
>>>
>>> Thanks, Terry
>
> Hi Terry,
>
> the syntax of your NSSCipherSuite stanza is wrong. mod_nss has a
> different syntax for NSSCipherSuite than mod_ssl has for SSLCipherSuite.
> The native mod_nss syntax doesn't support qualifiers such as 'all' or
> 'exp'. You have to put in the NSS names of cipher suites. If you use the
> native syntax, then mod_nss disables all ciphers suites that are not listed.
>
> mod_nss also supports OpenSSL's / mod_ssl's syntax if you use ':'
> instead of ',' as separator. But I advice against the alternative syntax
> because it is not as well tested as the native syntax. For example '!'
> prefix used to be broken (CVE-2015-5244) and '+' prefix causes another
> issue (https://fedorahosted.org/mod_nss/ticket/20).
By that argument one would never use any software because of previous
bugs. It should work fine now, but it there are some differences, but
note that the F-22 fix hasn't been pushed to stable yet
(https://bodhi.fedoraproject.org/updates/FEDORA-2016-6aa4dd4f3a).
+ doesn't add ciphers, it only re-orders them so is a no-op since NSS
doesn't allow cipher re-ordering.
Given you just disabled all ciphers with -ALL, -EXP is a no-op. If you
want to ban anything from adding in export ciphers later use !EXP instead.
The string is also case-sensitive and needs to be all upper-case.
But yeah, I'd check out the referenced ticket and use those as your default.
rob
>
>> Hi Terry,
>>
>> Please check
>> https://fedorahosted.org/freeipa/ticket/5589
>>
>> We are trying to come up with a better cipher suite right now. The fix should
>> be in some of the next FreeIPA 4.3.x versions.
>>
>> The ticket has more details in it.
>
> The NSSCipherSuite from
> https://fedorahosted.org/freeipa/ticket/5589#comment:6 has been reviewed
> by a couple of people and has been tested with ssllabs.com. The script
> nssciphersuite.py in the ticket explains why certain algorithms and
> cipher suites have been removed.
>
> Christian
>
>
>
More information about the Freeipa-users
mailing list