<html><body>Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha numSubordinates: 1 But I still get this with nmap.. I thought the above would remove -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding where it is coming from cept the +all from DS but the - should be negating that? Starting Nmap 5.51 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2016-04-27 17:37 EDT Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) Host is up (0.000086s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds It seems no matter what config I put into nss.conf or dse.ldif nothing changes with my nmap results. Is there supposed to be a be a section to add TLS ciphers instead of SSL Sean Hogan <img width="16" height="16" src="cid:1__=88BBF531DFE5293C8f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Sean Hogan---04/27/2016 09:59:59 AM---I ran the following: nmap --script ssl-enum-ciphers -p 636 `hos">Sean Hogan---04/27/2016 09:59:59 AM---I ran the following: nmap --script ssl-enum-ciphers -p 636 `hostname` From: Sean Hogan/Durham/IBM To: Martin Kosek <mkosek@redhat.com> Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 09:59 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>I ran the following:</tt> <tt>nmap --script ssl-enum-ciphers -p 636 `hostname`</tt> Starting Nmap 5.51 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2016-04-27 12:48 EDT Nmap scan report for bob Host is up (0.000078s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds Tenable is barking about the following.. only listing 636 but the same applies for 389 Plugin ID: 65821 Port 636 Synopsis: The remote service supports the use of the RC4 cipher. Description The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. And 636 and 389 for Plugin ID: 81606 port 389 Synopsis: The remote host supports a set of weak ciphers. Description The remote host supports EXPORT_RSA cipher suites with keys less than or equal to 512 bits. An attacker can factor a 512-bit RSA modulus in a short amount of time. A man-in-the middle attacker may be able to downgrade the session to use EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to remove support for weak cipher suites. So I do see RC4 and the exports so I guess I can - those in the dse.ldif <img width="16" height="16" src="cid:1__=88BBF531DFE5293C8f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Sean Hogan---04/27/2016 09:33:26 AM---Hi Martin, Thanks for the response. We are at RHEL 6.7... g">Sean Hogan---04/27/2016 09:33:26 AM---Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its From: Sean Hogan/Durham/IBM To: Martin Kosek <mkosek@redhat.com> Cc: freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 09:33 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its the Directory server ports which I assume is dse.ldif. Sean Hogan <img width="16" height="16" src="cid:1__=88BBF531DFE5293C8f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Martin Kosek ---04/27/2016 01:43:30 AM---On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello,">Martin Kosek ---04/27/2016 01:43:30 AM---On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, From: Martin Kosek <mkosek@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <freeipa-users@redhat.com> Date: 04/27/2016 01:43 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. I > have followed > </tt><tt><a href="https://access.redhat.com/solutions/675183">https://access.redhat.com/solutions/675183</a></tt><tt> however issues remain in the ciphers > being used. Can you show the full report, so that we can see what's wrong? What I am looking for also is if the problem is LDAPS port or HTTPS port, so that we are not fixing wrong service. DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug: </tt><tt><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1154687">https://bugzilla.redhat.com/show_bug.cgi?id=1154687</a></tt><tt> Further hardening comes with FreeIPA 4.3.1+: </tt><tt><a href="https://fedorahosted.org/freeipa/ticket/5684">https://fedorahosted.org/freeipa/ticket/5684</a></tt><tt> </tt><tt><a href="https://fedorahosted.org/freeipa/ticket/5589">https://fedorahosted.org/freeipa/ticket/5589</a></tt><tt> (it should appear in RHEL-7.3+) Martin </tt> </body></html>