<div dir="ltr">No difference. It is as if this setting is being overwritten somewhere deep in 389ds, because the "error" log correctly reflects the changes, but the actual process does not. (and yes, I verified that the process actually shuts down and start up again when I restart it)<div><div><br></div><div> <p class=""><span class="">ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"</span></p></div><div><div># encryption, config</div><div>dn: cn=encryption,cn=config</div><div>objectClass: top</div><div>objectClass: nsEncryptionConfig</div><div>cn: encryption</div><div>nsSSLSessionTimeout: 0</div><div>nsSSLClientAuth: allowed</div><div>sslVersionMin: TLS1.0</div><div>nsSSL3Ciphers: +all</div><div>allowWeakCipher: off</div><div>nsSSL3: off</div><div>nsSSL2: off</div></div><div>... (skipping nssslenabledciphers's) ...</div><div><div>nsTLS1: on</div><div>sslVersionMax: TLS1.2</div></div><div><br></div><div>SLAPD error log got longer:</div><div><br></div><div><div>SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: Configured NSS Ciphers</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:28 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled</div><div>[23/Sep/2015:09:37:29 -0600] - 389-Directory/<a href="http://1.3.3.8">1.3.3.8</a> B2015.040.128 starting up</div></div><div><br></div><div>SSLScan Output:</div><div><br></div><div> <p class=""><span class="">sslscan --no-failed localhost:636 <br></span></p><p class=""><span class="">...</span></p></div><div><div> Supported Server Cipher(s):</div><div> Accepted TLSv1 256 bits AES256-SHA</div><div> Accepted TLSv1 128 bits AES128-SHA</div><div> Accepted TLSv1 128 bits DES-CBC3-SHA</div><div> Accepted TLSv1 128 bits RC4-SHA</div><div> Accepted TLSv1 128 bits RC4-MD5</div><div> Accepted TLS11 256 bits AES256-SHA</div><div> Accepted TLS11 128 bits AES128-SHA</div><div> Accepted TLS11 128 bits DES-CBC3-SHA</div><div> Accepted TLS11 128 bits RC4-SHA</div><div> Accepted TLS11 128 bits RC4-MD5</div><div> Accepted TLS12 256 bits AES256-SHA256</div><div> Accepted TLS12 256 bits AES256-SHA</div><div> Accepted TLS12 128 bits AES128-GCM-SHA256</div><div> Accepted TLS12 128 bits AES128-SHA256</div><div> Accepted TLS12 128 bits AES128-SHA</div><div> Accepted TLS12 128 bits DES-CBC3-SHA</div><div> Accepted TLS12 128 bits RC4-SHA</div><div> Accepted TLS12 128 bits RC4-MD5</div></div> <div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 23, 2015 at 8:19 AM, Ludwig Krispenz <span dir="ltr"><<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><span class=""> <br> <div>On 09/23/2015 05:05 PM, Michael Lasevich wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). <div>I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. <div><br> </div> <div>I am running "CentOS Linux release 7.1.1503 (Core)" </div> <div><br> </div> <div>Relevant Packages:</div> <div> <div><br> </div> <div>freeipa-server-4.1.4-1.el7.centos.x86_64</div> <div>389-ds-base-1.3.3.8-1.el7.centos.x86_64</div> <div>nss-3.19.1-5.el7_1.x86_64</div> <div>openssl-1.0.1e-42.el7.9.x86_64</div> <div><br> </div> </div> <div>LDAP setting (confirmed that in error.log there is no menition of RC4 in list of ciphers):</div> <div> <p>nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha<br> </p> </div> </div> </div> </blockquote></span> with ipa the config entry should contain:<br> <br> dn: cn=encryption,cn=config<br> allowWeakCipher: off<br> nsSSL3Ciphers: +all<br> <br> could you try this setting<div><div class="h5"><br> <blockquote type="cite"> <div dir="ltr"> <div> <div> <p><span>Slapd "error" log showing no ciphersuites supporting RC4:</span></p> <p>[23/Sep/2015:08:51:04 -0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza is not available in NSS 3.16. Ignoring fortezza<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.16. Ignoring fortezza_rc4_128_sha<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Cipher suite fortezza_null is not available in NSS 3.16. Ignoring fortezza_null<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: Configured NSS Ciphers<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled<br> [23/Sep/2015:08:51:04 -0600] - 389-Directory/<a href="http://1.3.3.8" target="_blank">1.3.3.8</a> B2015.040.128 starting up</p> <div><br> </div> <p><span>But sslscan returns:</span></p> <p><span>$ </span>sslscan --no-failed localhost:636<br> ...</p> <p><span>Supported Server Cipher(s):</span></p> <p><span> Accepted TLSv1 256 bits AES256-SHA<br> </span> Accepted TLSv1 128 bits AES128-SHA<br> Accepted TLSv1 128 bits DES-CBC3-SHA<br> Accepted TLSv1 128 bits RC4-SHA<br> Accepted TLSv1 128 bits RC4-MD5<br> Accepted TLS11 256 bits AES256-SHA<br> Accepted TLS11 128 bits AES128-SHA<br> Accepted TLS11 128 bits DES-CBC3-SHA<br> Accepted TLS11 128 bits RC4-SHA<br> Accepted TLS11 128 bits RC4-MD5<br> Accepted TLS12 256 bits AES256-SHA256<br> Accepted TLS12 256 bits AES256-SHA<br> Accepted TLS12 128 bits AES128-GCM-SHA256<br> Accepted TLS12 128 bits AES128-SHA256<br> Accepted TLS12 128 bits AES128-SHA<br> Accepted TLS12 128 bits DES-CBC3-SHA<br> Accepted TLS12 128 bits RC4-SHA<br> Accepted TLS12 128 bits RC4-MD5</p> <p>...</p> <p><br> </p> <p>I would assume the sslscan is broken, but nmap and other scanners all confirm that RC4 is still on.</p> <p>-M</p> </div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div> <div>On 09/23/2015 11:00 AM, Michael Lasevich wrote:<br> > OK, this is most bizarre issue,<br> ><br> > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and<br> > for the life of me cannot get it to work<br> ><br> > I have followed many nearly identical instructions to create ldif file and<br> > change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -<br> > and I get it to take, and during the startup I can see the right SSL Cipher<br> > Suites listed in errors.log - but when it starts and I probe it, RC4<br> > ciphers are still there. I am completely confused.<br> ><br> > I tried setting "nsSSL3Ciphers" to "default" (which does not have "RC4")<br> > and to old style cyphers lists(lowercase), and new style cypher<br> > lists(uppercase), and nothing seems to make any difference.<br> ><br> > Any ideas?<br> ><br> > -M<br> <br> </div> </div> Are you asking about standalone 389-DS or the one integrated in FreeIPA? As<br> with currently supported versions of FreeIPA, RC4 ciphers should be already<br> gone, AFAIK.<br> <br> In RHEL/CentOS world, it should be fixed in 6.7/7.1 or later:<br> <br> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1154687" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1154687</a><br> <a href="https://fedorahosted.org/freeipa/ticket/4653" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/4653</a><br> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> </div></div></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>