[Freeipa-users] FREAK Vulnerability

Prasun Gera prasun.gera at gmail.com
Thu Jan 28 16:35:04 UTC 2016 

Can someone at RH update this article
https://access.redhat.com/articles/1467293 ? I found it to be fairly
useful, but I'm not sure if it's up to date.

On Thu, Jan 28, 2016 at 11:04 AM, Terry John <
Terry.John at completeautomotivesolutions.co.uk> wrote:

> Ok thanks for that but I've had to give up, our freeipa server is too
> critical to our business for me to continue even with outages of one or two
> minutes.
>
> The Ciphers below were not recognised and when I just tried to remove the
> export ciphers from the original list I got this error
> (Netscape Portable Runtime error -12266 - An unknown SSL cipher suite has
> been requested.)
>
> A type or a fundamental problem I don't know.
>
> I am working in an AWS environment and have tried making a clone and
> working on that but freeipa just gets confused and stops. I suppose another
> alternative is to build a freeipa server from scratch and work on that.
> Seems an awful lot of work to remove one cipher :-(
>
> terry
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: 28 January 2016 14:35
> To: Terry John; Marat Vyshegorodtsev; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FREAK Vulnerability
>
> Terry John wrote:
> > I'm really confused now. After the problem where my feeipa server would
> not start and I had to use the backup I'm trying to do things in small
> steps.
> >
> > Listening to everything that has been said (thanks) I edited
> > slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
> >
> > nsSSL3Ciphers:  <My-Original-Ciphers>
> > to
> > nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_g
> > cm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+
> > ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> > 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes
> > _128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_25
> > 6_sha
> > (There is a space after the colon)
> >
> > Then I did a 'service ip restart' and when I looked the dse.ldif files
> had reverted back to their original settings..
> >
> > Where am I going wrong?
>
> dse.ldif is written out when the server shuts down so any changes you make
> to it while 389-ds is running are lost.
>
> rob
>
> >
> > Terry
> >
> >
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcritten at redhat.com]
> > Sent: 28 January 2016 04:49
> > To: Marat Vyshegorodtsev; Terry John; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] FREAK Vulnerability
> >
> > Marat Vyshegorodtsev wrote:
> >> My two cents:
> >>
> >> My "magic" string for NSS is like this (I had to move to Fedora 23
> >> from CentOS in order to get more recent NSS version though):
> >>
> >> NSSProtocol TLSv1.2
> >> NSSCipherSuite
> >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
> >> s
> >> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecds
> >> a
> >> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_2
> >> 5
> >> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecds
> >> a
> >> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> >
> > The -All is a syntax error (ignored). All ciphers are disabled by
> default anyway.
> >
> > I'd suggest using the ticket already referenced as a starting point.
> >
> > /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see what
> is enabled by default in NSS (though again, everything is disabled by
> mod_nss at startup).
> >
> > rob
> >
> >>
> >> My cert is ECDSA private CA though. If you are interested, I can give
> >> you my chef recipe snippets to configure it.
> >>
> >> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev
> >> <marat.vyshegorodtsev at gmail.com> wrote:
> >>> My two cents:
> >>>
> >>> My "magic" string for NSS is like this (I had to move to Fedora 23
> >>> from CentOS in order to get more recent NSS version though):
> >>>
> >>> NSSProtocol TLSv1.2
> >>> NSSCipherSuite
> >>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_a
> >>> e
> >>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ec
> >>> d
> >>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sh
> >>> a
> >>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_
> >>> e
> >>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> >>>
> >>> My cert is ECDSA private CA though. If you are interested, I can
> >>> give you my chef recipe snippets to configure it.
> >>>
> >>> Marat
> >>>
> >>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John
> >>> <Terry.John at completeautomotivesolutions.co.uk> wrote:
> >>>>>> I've been trying to tidy the security on my FreeIPA and this is
> >>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner
> >>>>>> and it is coming up with this issue
> >>>>>>
> >>>>>> EXPORT_RSA cipher suites supported by the remote server:
> >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
> >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
> >>>>>>
> >>>>>> It seems we have to disable export  TLS ciphers but I can't see
> how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL and
> TLSV1.0.
> >>>>>
> >>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
> >>>>>>
> >>>>>> I've restarted httpd and ipa but it still fails
> >>>>>>
> >>>>>> Is there something I have overlooked
> >>>>
> >>>>
> >>>>> Hi Terry,
> >>>>>
> >>>>> Please check
> >>>>> https://fedorahosted.org/freeipa/ticket/5589
> >>>>>
> >>>>> We are trying to come up with a better cipher suite right now. The
> fix should be in some of the next FreeIPA 4.3.x versions.
> >>>>>
> >>>>> The ticket has more details in it.
> >>>>
> >>>> Thanks for the info. I have tried nearly all the NSSCipherSuite
> settings in that ticket but none so far has eliminated the FREAK report.
> >>>> Christian thanks for the heads up on the syntax, I wasn't sure of
> >>>> what I was doing
> >>>>
> >>>> Each time I've made a change I've run an sslscan from the OpenVAS
> scanner and I do get a different result each time but the errors still
> remains in OpenVAS.
> >>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
> >>>>
> >>>> Back to the drawing board :-)
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> The Manheim group of companies within the UK comprises: Manheim
> Europe Limited (registered number: 03183918), Manheim Auctions Limited
> (registered number: 00448761), Manheim Retail Services Limited (registered
> number: 02838588), Motors.co.uk Limited (registered number: 05975777),
> Real Time Communications Limited (registered number: 04277845) and Complete
> Automotive Solutions Limited (registered number: 05302535). Each of these
> companies is registered in England and Wales with the registered office
> address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim
> group of companies operates under various brand/trading names including
> Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim
> De-fleet and Manheim Aftersales Solutions.
> >>>>
> >>>> V:0CF72C13B2AC
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the project
> >>
> >
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160128/a42d00fa/attachment.htm>

More information about the Freeipa-users mailing list