[Freeipa-users] FREAK Vulnerability
Christian Heimes
cheimes at redhat.com
Thu Jan 28 12:46:12 UTC 2016
On 2016-01-28 13:32, Terry John wrote:
> I'm really confused now. After the problem where my feeipa server would not start and I had to use the backup I'm trying to do things in small steps.
>
> Listening to everything that has been said (thanks) I edited
> slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
>
> nsSSL3Ciphers: <My-Original-Ciphers>
> to
> nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
> (There is a space after the colon)
>
> Then I did a 'service ip restart' and when I looked the dse.ldif files had reverted back to their original settings..
>
> Where am I going wrong?
There is another catch. The SSL module of 389-DS uses different names
for ciphers than mod_nss. Both have their own nick name table for the
official TLS suite names. Recent versions of 389-DS also support the
official cipher suite names. I don't know which version of 389-DS
introduced the feature. I only looked at the most recent code.
https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/slapd/ssl.c#n150
https://git.fedorahosted.org/cgit/mod_nss.git/tree/nss_engine_cipher.c#n23
Regards,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160128/604f83d2/attachment.sig>
More information about the Freeipa-users
mailing list