<html><body bgcolor="#FFFFFF">Hi Noriko, Thanks for the suggestions, I had to trim out the GCM ciphers in order to get IPA to start back up or I would get the unknown cipher message Nmap is still showing the same 13 ciphers as before though like nothing had changed and I did ipactl stop, made modification, ipactl start tarting Nmap 5.51 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2016-04-28 18:44 EDT Nmap scan report for Host is up (0.000053s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds Current Config: dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ aes_256_sha,+rsa_aes_256_sha numSubordinates: 1 nss.conf # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 Does nss.conf have anything to do with the dir srv ciphers? I know the 389 docs says they are tied together so the way I have been looking at it is nss.conf lists the allowed ciphers where dse.ldif lists which ones to use for 389 from nss.conf. Is that correct? Is there any other place where ciphers would be ignored? nss-3.19.1-8.el6_7.x86_64 sssd-ipa-1.12.4-47.el6_7.4.x86_64 ipa-client-3.0.0-47.el6_7.1.x86_64 ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-47.el6_7.1.x86_64 ipa-server-3.0.0-47.el6_7.1.x86_64 libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 ipa-admintools-3.0.0-47.el6_7.1.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch 389-ds-base-1.2.11.15-68.el6_7.x86_64 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 I need to get rid of any rc4s Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan@us.ibm.com | Tel 919 486 1397 <img src="cid:1__=88BBF530DFEF78A28f9e8a93df938690918c88B@" width="67" height="53" align="top"> <img src="cid:2__=88BBF530DFEF78A28f9e8a93df938690918c88B@" width="60" height="51" align="top"> <img width="16" height="16" src="cid:3__=88BBF530DFEF78A28f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, Ludwig. On 04/28/201">Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: From: Noriko Hosoi <nhosoi@redhat.com> To: Ludwig Krispenz <lkrispen@redhat.com>, freeipa-users@redhat.com Date: 04/28/2016 12:08 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. Ludwig is right. The way how to set nsSSL3Ciphers has been changed since 1.3.3 which is available on RHEL-7. This is one of the newly supported values of nsSSL3Ciphers:<ul><ul>Notes: if the value contains +all, then -<cipher> is removed from the list. <a href="http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1">http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1</a></ul></ul>On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if "+all" is found in the value, all the available ciphers are enabled. To workaround it, could you try explicitely setting ciphers as follows? nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha Thanks, --noriko On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:<ul><ul>wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: <ul><ul> On 04/28/2016 12:06 PM, Martin Kosek wrote: <ul><ul>On 04/28/2016 01:23 AM, Sean Hogan wrote: <ul><ul>Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha numSubordinates: 1 But I still get this with nmap.. I thought the above would remove -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding where it is coming from cept the +all from DS but the - should be negating that? Starting Nmap 5.51 ( <a href="http://nmap.org/">http://nmap.org</a> <a href="http://nmap.org/"><http://nmap.org/></a> ) at 2016-04-27 17:37 EDT Nmap scan report for Host is up (0.000086s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds It seems no matter what config I put into nss.conf or dse.ldif nothing changes with my nmap results. Is there supposed to be a be a section to add TLS ciphers instead of SSL </ul></ul>Not sure now, CCing Ludwig who was involved in the original RHEL-6 implementation. </ul></ul>If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. but the below comments about changing ciphers in dse.ldif could help in using the "old" way to set ciphers <ul><ul>Just to be sure, when you are modifying dse.ldif, the procedure should be always following: 1) Stop Directory Server service 2) Modify dse.ldif 3) Start Directory Server service Otherwise it won't get applied and will get overwritten later. In any case, the ciphers with RHEL-6 should be secure enough, the ones in FreeIPA 4.3.1 should be even better. This is for example an nmap taken on FreeIPA Demo instance that runs on FreeIPA 4.3.1: $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org Starting Nmap 7.12 ( <a href="https://nmap.org/">https://nmap.org</a> ) at 2016-04-28 12:02 CEST Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) Host is up (0.18s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds Martin </ul></ul></ul></ul></ul></ul><tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>