[Freeipa-users] FREAK Vulnerability
Christian Heimes
cheimes at redhat.com
Thu Jan 21 17:18:43 UTC 2016
On 2016-01-21 17:54, Terry John wrote:
>>> I've been trying to tidy the security on my FreeIPA and this is
>>> causing me some problems. I'm using OpenVAS vulnerability scanner and
>>> it is coming up with this issue
>>>
>>> EXPORT_RSA cipher suites supported by the remote server:
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
>>>
>>> It seems we have to disable export TLS ciphers but I can't see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and TLSV1.0.
>>
>>> NSSCipherSuite -all,-exp,+<the ones I want>
>>>
>>> I've restarted httpd and ipa but it still fails
>>>
>>> Is there something I have overlooked
>
>
>> Hi Terry,
>>
>> Please check
>> https://fedorahosted.org/freeipa/ticket/5589
>>
>> We are trying to come up with a better cipher suite right now. The fix should be in some of the next FreeIPA 4.3.x versions.
>>
>> The ticket has more details in it.
>
> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in that ticket but none so far has eliminated the FREAK report.
> Christian thanks for the heads up on the syntax, I wasn't sure of what I was doing
>
> Each time I've made a change I've run an sslscan from the OpenVAS scanner and I do get a different result each time but the errors still remains in OpenVAS.
> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>
> Back to the drawing board :-)
The TLS/SSL configuration of the LDAP server is handled by a different
configuration file. It's on my radar, but I haven't touched it yet. LDAP
clients and browsers are different beasts. ssllabs.com makes it very
convenient to test a site against all relevant browsers. There is no
such service for LDAP.
By the way does OpenVAS also detect issues on 389/TCP for LDAP with
STARTTLS? 389/TCP talks plain TCP first but can be upgrade to TLS with
STARTTLS.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160121/fa6ce78a/attachment.sig>
More information about the Freeipa-users
mailing list