<html><body>Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til it comes back up. Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan@us.ibm.com | Tel 919 486 1397 <img src="cid:1__=88BBF530DFC7A88F8f9e8a93df938690918c88B@" width="67" height="53" align="top"> <img src="cid:2__=88BBF530DFC7A88F8f9e8a93df938690918c88B@" width="60" height="51" align="top"> <img width="16" height="16" src="cid:3__=88BBF530DFC7A88F8f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Ludwig Krispenz ---04/28/2016 04:46:40 AM---wanted to add Noriko, but hit send to quickly On 04/28/20">Ludwig Krispenz ---04/28/2016 04:46:40 AM---wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: From: Ludwig Krispenz <lkrispen@redhat.com> To: freeipa-users@redhat.com, Noriko Hosoi <nhosoi@redhat.com> Date: 04/28/2016 04:46 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <tt>wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( </tt><tt><a href="http://nmap.org">http://nmap.org</a></tt><tt> <</tt><tt><a href="http://nmap.org/">http://nmap.org/</a></tt><tt>> ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( </tt><tt><a href="https://nmap.org">https://nmap.org</a></tt><tt> ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, </tt><tt><a href="http://www.de.redhat.com/">http://www.de.redhat.com/</a></tt><tt>, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project </tt> </body></html>