[Freeipa-users] FREAK Vulnerability
Christian Heimes
cheimes at redhat.com
Fri Jan 22 10:03:05 UTC 2016
On 2016-01-21 17:54, Terry John wrote:
> Thanks for the info. I have tried nearly all the NSSCipherSuite settings in that ticket but none so far has eliminated the FREAK report.
> Christian thanks for the heads up on the syntax, I wasn't sure of what I was doing
>
> Each time I've made a change I've run an sslscan from the OpenVAS scanner and I do get a different result each time but the errors still remains in OpenVAS.
> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
>
> Back to the drawing board :-)
Hi Terry,
you can give the attached file a try. It's a ldif file for
ipa-ldap-updater. You need to run the command on the machine as root and
restart 389-DS.
The hardened TLS configuration is highly experimental and comes with no
warranty whatsoever. The configuration works on my tests systems with
Python's ldap client and Apache Directory Studio. It may not work with
other clients, especially older clients or clients in FIPS mode.
Christian
-------------- next part --------------
# Harden TLS/SSL configuration of 389-DS
#
# Christian Heimes <cheimes at redhat.com>
#
# $ sudo ipa-ldap-updater slapd_ssl.uldif
# $ sudo ipactl restart
dn: cn=encryption,cn=config
only: allowWeakCipher: off
only: nsSSL2: off
only: nsSSL3: off
only: nsTLS1: on
only: sslVersionMin: TLS1.0
only: sslVersionMax: TLS1.2
only: nsSSL3Ciphers: +TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160122/da92a680/attachment.sig>
More information about the Freeipa-users
mailing list