<html><body><p>Hello,<br><br>  We currently have 7 ipa servers in multi master running:<br><br>ipa-server-3.0.0-47.el6_7.1.x86_64<br>389-ds-base-1.2.11.15-68.el6_7.x86_64<br><br>Tenable is showing the use of weak ciphers along with freak vulnerabilities.  I have followed <br><a href="https://access.redhat.com/solutions/675183">https://access.redhat.com/solutions/675183</a> however issues remain in the ciphers being used.  <br><br>I have also modified dse.ldif with the following from <a href="http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports">http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports</a> <br>With ipa stopped I modified dse with  below<br><br>odifyTimestamp: 20150420131906Z<br>nsSSL3Ciphers: +all,-rsa_null_sha<br>allowWeakCipher: off<br>numSubordinates: 1<br><br>I turn on ipa and get <br>Starting Directory Service<br>Starting dirsrv: <br>    PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry "cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed  <br><br>So I go back into the file and allowWeakCipher now shows allowweakcipher (caps for W and C are now lower case)<br><br><br>nss.conf<br><br><br># new config to stop using weak ciphers.<br>NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha<br>   SSL Protocol:<br>#   Cryptographic protocols that provide communication security.<br>#   NSS handles the specified protocols as "ranges", and automatically<br>#   negotiates the use of the strongest protocol for a connection starting<br>#   with the maximum specified protocol and downgrading as necessary to the<br>#   minimum specified protocol that can be used between two processes.<br>#   Since all protocol ranges are completely inclusive, and no protocol in the<br>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2<br>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2<br>NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2<br><br><br>server.xml<br><br>               clientAuth="true"<br>               sslOptions="ssl2=off,ssl3=off,tls=true"<br>               ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"<br>               ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"<br>               tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"<br><br><br><br><br><br>Is there a config for this version of IPA/DS somewhere that will pass poodle, freak, null ciphers scanning or only allow strong ciphers?  <br><br><br><br>Sean Hogan<br><br><br><BR>
</body></html>