<div dir="ltr">I actually just posted that in a previous email. The only thing I cut out were nsSSLEnabledCiphers - but here is the complete listing:<div><br></div><div><div># ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"</div><div>Enter LDAP Password: </div><div># extended LDIF</div><div>#</div><div># LDAPv3</div><div># base <cn=encryption,cn=config> with scope subtree</div><div># filter: (objectclass=*)</div><div># requesting: ALL</div><div>#</div><div><br></div><div># encryption, config</div><div>dn: cn=encryption,cn=config</div><div>objectClass: top</div><div>objectClass: nsEncryptionConfig</div><div>cn: encryption</div><div>nsSSLSessionTimeout: 0</div><div>nsSSLClientAuth: allowed</div><div>sslVersionMin: TLS1.0</div><div>nsSSL3Ciphers: +all</div><div>allowWeakCipher: off</div><div>nsSSL3: off</div><div>nsSSL2: off</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD:</div><div> :128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD:</div><div> :256</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1</div><div> 28</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2</div><div> 56</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::2</div><div> 56</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::1</div><div> 28</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::</div><div> 128</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::</div><div> 128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::</div><div> 256</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::</div><div> 256</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128</div><div>nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128</div><div>nsSSLSupportedCiphers: TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64</div><div>nsSSLSupportedCiphers: TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64</div><div>nsSSLSupportedCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64</div><div>nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128</div><div>nsSSLSupportedCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64</div><div>nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128</div><div>nsSSLSupportedCiphers: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128</div><div>nsSSLSupportedCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0</div><div>nsSSLSupportedCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0</div><div>nsSSLSupportedCiphers: TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0</div><div>nsSSLSupportedCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0</div><div>nsSSLSupportedCiphers: TLS_RSA_WITH_NULL_MD5::NULL::MD5::0</div><div>nsSSLSupportedCiphers: SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128</div><div>nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128</div><div>nsSSLSupportedCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192</div><div>nsSSLSupportedCiphers: SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64</div><div>nsSSLSupportedCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128</div><div>nsSSLSupportedCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::1</div><div> 28</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::2</div><div> 56</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384::AES::SHA384::256</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nssslenabledciphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12</div><div> 8</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::12</div><div> 8</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384::AES-GCM::AEAD::256</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nssslenabledciphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25</div><div> 6</div><div>nssslenabledciphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::25</div><div> 6</div><div>nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_256_GCM_SHA384::AES-GCM::SHA384::256</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128</div><div>nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256</div><div>nssslenabledciphers: TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256</div><div>nssslenabledciphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256</div><div>nssslenabledciphers: TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128</div><div>nsTLS1: on</div><div>sslVersionMax: TLS1.2</div><div><br></div><div># RSA, encryption, config</div><div>dn: cn=RSA,cn=encryption,cn=config</div><div>objectClass: top</div><div>objectClass: nsEncryptionModule</div><div>nsSSLPersonalitySSL: Server-Cert</div><div>nsSSLActivation: on</div><div>cn: RSA</div><div>nsSSLToken: internal (software)</div><div><br></div><div># search result</div><div>search: 2</div><div>result: 0 Success</div><div><br></div><div># numResponses: 3</div><div># numEntries: 2</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 23, 2015 at 11:53 AM, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 09/23/2015 05:05 PM, Michael Lasevich wrote:<br> </span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to<br> post completely non-IPA questions to this list...).<br> </blockquote> <br></span> You would not be the first to do it :-)<span class=""><br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no<br> matter what I do.<br> <br> I am running "CentOS Linux release 7.1.1503 (Core)"<br> <br> Relevant Packages:<br> <br> freeipa-server-4.1.4-1.el7.centos.x86_64<br> 389-ds-base-1.3.3.8-1.el7.centos.x86_64<br> nss-3.19.1-5.el7_1.x86_64<br> openssl-1.0.1e-42.el7.9.x86_64<br> <br> LDAP setting (confirmed that in error.log there is no menition of RC4 in list<br> of ciphers):<br> <br> nsSSL3Ciphers:<br> -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha<br> </blockquote> <br></span> Something is really strange here. We need to see settings in "cn=encryption,cn=config" to investigate further.<br> <br> $ ldapsearch -h <a href="http://ipa.example.com" rel="noreferrer" target="_blank">ipa.example.com</a> -b cn=encryption,cn=config -D "cn=Directory Manager" -x -W<br> <br> should be a good start to give this information. nsSSL3Ciphers for example should be set to "+all" and "allowWeakCipher" to off, as per<br> <br> <a href="http://fedorahosted.org/freeipa/ticket/4395" rel="noreferrer" target="_blank">http://fedorahosted.org/freeipa/ticket/4395</a><br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""> Slapd "error" log showing no ciphersuites supporting RC4:<br> <br> [23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version range:<br> min: TLS1.0, max: TLS1.2<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not<br> available in NSS 3.16. Ignoring fortezza<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_rc4_128_sha is<br> not available in NSS 3.16. Ignoring fortezza_rc4_128_sha<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is not<br> available in NSS 3.16. Ignoring fortezza_null<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers<br> [23/Sep/2015:08:51:04 -0600] - SSL alert:<br> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert:<br> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert:<br> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert:<br> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA:<br> enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA:<br> enabled<br></span> [23/Sep/2015:08:51:04 -0600] - 389-Directory/<a href="http://1.3.3.8" rel="noreferrer" target="_blank">1.3.3.8</a> <<a href="http://1.3.3.8" rel="noreferrer" target="_blank">http://1.3.3.8</a>><div><div class="h5"><br> B2015.040.128 starting up<br> <br> <br> But sslscan returns:<br> <br> $ sslscan --no-failed localhost:636<br> ...<br> <br> Supported Server Cipher(s):<br> <br> Accepted TLSv1 256 bits AES256-SHA<br> Accepted TLSv1 128 bits AES128-SHA<br> Accepted TLSv1 128 bits DES-CBC3-SHA<br> Accepted TLSv1 128 bits RC4-SHA<br> Accepted TLSv1 128 bits RC4-MD5<br> Accepted TLS11 256 bits AES256-SHA<br> Accepted TLS11 128 bits AES128-SHA<br> Accepted TLS11 128 bits DES-CBC3-SHA<br> Accepted TLS11 128 bits RC4-SHA<br> Accepted TLS11 128 bits RC4-MD5<br> Accepted TLS12 256 bits AES256-SHA256<br> Accepted TLS12 256 bits AES256-SHA<br> Accepted TLS12 128 bits AES128-GCM-SHA256<br> Accepted TLS12 128 bits AES128-SHA256<br> Accepted TLS12 128 bits AES128-SHA<br> Accepted TLS12 128 bits DES-CBC3-SHA<br> Accepted TLS12 128 bits RC4-SHA<br> Accepted TLS12 128 bits RC4-MD5<br> <br> ...<br> <br> <br> I would assume the sslscan is broken, but nmap and other scanners all confirm<br> that RC4 is still on.<br> <br> -M<br> <br> <br> On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br></div></div><span class=""> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote:<br> <br> On 09/23/2015 11:00 AM, Michael Lasevich wrote:<br> > OK, this is most bizarre issue,<br> ><br> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and<br> > for the life of me cannot get it to work<br> ><br> > I have followed many nearly identical instructions to create ldif file and<br> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -<br> > and I get it to take, and during the startup I can see the right SSL Cipher<br> > Suites listed in errors.log - but when it starts and I probe it, RC4<br> > ciphers are still there. I am completely confused.<br> ><br> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4")<br> > and to old style cyphers lists(lowercase), and new style cypher<br> > lists(uppercase), and nothing seems to make any difference.<br> ><br> > Any ideas?<br> ><br> > -M<br> <br> Are you asking about standalone 389-DS or the one integrated in FreeIPA? As<br> with currently supported versions of FreeIPA, RC4 ciphers should be already<br> gone, AFAIK.<br> <br> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:<br> <br> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1154687" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1154687</a><br> <a href="https://fedorahosted.org/freeipa/ticket/4653" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/4653</a><br> <br> <br> </span></blockquote> <br> </blockquote></div><br></div>