[Freeipa-users] FREAK Vulnerability
Rob Crittenden
rcritten at redhat.com
Thu Jan 28 17:08:15 UTC 2016
Prasun Gera wrote:
> Can someone at RH update this
> article https://access.redhat.com/articles/1467293 ? I found it to be
> fairly useful, but I'm not sure if it's up to date.
mod_nss was rebased from 1.0.8 to 1.0.10 in 7.2 which added TLSv1.2
support. I'll notify the author.
rob
>
> On Thu, Jan 28, 2016 at 11:04 AM, Terry John
> <Terry.John at completeautomotivesolutions.co.uk
> <mailto:Terry.John at completeautomotivesolutions.co.uk>> wrote:
>
> Ok thanks for that but I've had to give up, our freeipa server is
> too critical to our business for me to continue even with outages of
> one or two minutes.
>
> The Ciphers below were not recognised and when I just tried to
> remove the export ciphers from the original list I got this error
> (Netscape Portable Runtime error -12266 - An unknown SSL cipher
> suite has been requested.)
>
> A type or a fundamental problem I don't know.
>
> I am working in an AWS environment and have tried making a clone and
> working on that but freeipa just gets confused and stops. I suppose
> another alternative is to build a freeipa server from scratch and
> work on that. Seems an awful lot of work to remove one cipher :-(
>
> terry
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>]
> Sent: 28 January 2016 14:35
> To: Terry John; Marat Vyshegorodtsev; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] FREAK Vulnerability
>
> Terry John wrote:
> > I'm really confused now. After the problem where my feeipa server
> would not start and I had to use the backup I'm trying to do things
> in small steps.
> >
> > Listening to everything that has been said (thanks) I edited
> > slapd-<MY-NET>/dse.ldif slapd-PKI-IPA/dse.ldif and changed the lines
> >
> > nsSSL3Ciphers: <My-Original-Ciphers>
> > to
> > nsSSL3Ciphers:+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_g
> > cm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+
> > ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> > 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes
> > _128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_25
> > 6_sha
> > (There is a space after the colon)
> >
> > Then I did a 'service ip restart' and when I looked the dse.ldif
> files had reverted back to their original settings..
> >
> > Where am I going wrong?
>
> dse.ldif is written out when the server shuts down so any changes
> you make to it while 389-ds is running are lost.
>
> rob
>
> >
> > Terry
> >
> >
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>]
> > Sent: 28 January 2016 04:49
> > To: Marat Vyshegorodtsev; Terry John; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> > Subject: Re: [Freeipa-users] FREAK Vulnerability
> >
> > Marat Vyshegorodtsev wrote:
> >> My two cents:
> >>
> >> My "magic" string for NSS is like this (I had to move to Fedora 23
> >> from CentOS in order to get more recent NSS version though):
> >>
> >> NSSProtocol TLSv1.2
> >> NSSCipherSuite
> >> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_ae
> >> s
> >> _128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecds
> >> a
> >> _aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sha_2
> >> 5
> >> 6,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecds
> >> a
> >> _aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> >
> > The -All is a syntax error (ignored). All ciphers are disabled by
> default anyway.
> >
> > I'd suggest using the ticket already referenced as a starting point.
> >
> > /usr/lib[64]/nss/unsupported-tools/listsuites is also handy to see
> what is enabled by default in NSS (though again, everything is
> disabled by mod_nss at startup).
> >
> > rob
> >
> >>
> >> My cert is ECDSA private CA though. If you are interested, I can give
> >> you my chef recipe snippets to configure it.
> >>
> >> On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev
> >> <marat.vyshegorodtsev at gmail.com
> <mailto:marat.vyshegorodtsev at gmail.com>> wrote:
> >>> My two cents:
> >>>
> >>> My "magic" string for NSS is like this (I had to move to Fedora 23
> >>> from CentOS in order to get more recent NSS version though):
> >>>
> >>> NSSProtocol TLSv1.2
> >>> NSSCipherSuite
> >>> -All,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdh_ecdsa_a
> >>> e
> >>> s_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ec
> >>> d
> >>> sa_aes_256_sha,+aes_256_sha_256,+aes_128_sha_256,+rsa_aes_128_gcm_sh
> >>> a
> >>> _256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_
> >>> e
> >>> cdsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_gcm_sha_256
> >>>
> >>> My cert is ECDSA private CA though. If you are interested, I can
> >>> give you my chef recipe snippets to configure it.
> >>>
> >>> Marat
> >>>
> >>> On Fri, Jan 22, 2016 at 1:54 AM, Terry John
> >>> <Terry.John at completeautomotivesolutions.co.uk
> <mailto:Terry.John at completeautomotivesolutions.co.uk>> wrote:
> >>>>>> I've been trying to tidy the security on my FreeIPA and this is
> >>>>>> causing me some problems. I'm using OpenVAS vulnerability scanner
> >>>>>> and it is coming up with this issue
> >>>>>>
> >>>>>> EXPORT_RSA cipher suites supported by the remote server:
> >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006)
> >>>>>> TLSv1.0: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0003)
> >>>>>>
> >>>>>> It seems we have to disable export TLS ciphers but I can't
> see how. I've edited /etc/httpd/conf.d/nss.conf and disabled all SSL
> and TLSV1.0.
> >>>>>
> >>>>>> NSSCipherSuite -all,-exp,+<the ones I want>
> >>>>>>
> >>>>>> I've restarted httpd and ipa but it still fails
> >>>>>>
> >>>>>> Is there something I have overlooked
> >>>>
> >>>>
> >>>>> Hi Terry,
> >>>>>
> >>>>> Please check
> >>>>> https://fedorahosted.org/freeipa/ticket/5589
> >>>>>
> >>>>> We are trying to come up with a better cipher suite right now.
> The fix should be in some of the next FreeIPA 4.3.x versions.
> >>>>>
> >>>>> The ticket has more details in it.
> >>>>
> >>>> Thanks for the info. I have tried nearly all the NSSCipherSuite
> settings in that ticket but none so far has eliminated the FREAK report.
> >>>> Christian thanks for the heads up on the syntax, I wasn't sure of
> >>>> what I was doing
> >>>>
> >>>> Each time I've made a change I've run an sslscan from the
> OpenVAS scanner and I do get a different result each time but the
> errors still remains in OpenVAS.
> >>>> Aaargh! Just noticed the port is 636/tcp(!) which is ns-slapd.
> >>>>
> >>>> Back to the drawing board :-)
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> The Manheim group of companies within the UK comprises: Manheim
> Europe Limited (registered number: 03183918), Manheim Auctions
> Limited (registered number: 00448761), Manheim Retail Services
> Limited (registered number: 02838588), Motors.co.uk
> <http://Motors.co.uk> Limited (registered number: 05975777), Real
> Time Communications Limited (registered number: 04277845) and
> Complete Automotive Solutions Limited (registered number: 05302535).
> Each of these companies is registered in England and Wales with the
> registered office address of Central House, Leeds Road, Rothwell,
> Leeds LS26 0JE. The Manheim group of companies operates under
> various brand/trading names including Manheim Inspection Services,
> Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim
> Aftersales Solutions.
> >>>>
> >>>> V:0CF72C13B2AC
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-users mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Go to http://freeipa.org for more info on the project
> >>
> >
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
More information about the Freeipa-users
mailing list