From mharmsen at redhat.com Tue Apr 1 17:38:48 2014 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 01 Apr 2014 10:38:48 -0700 Subject: [Pki-users] Announcing the release of Dogtag 10.0.7 Message-ID: <533AF9A8.7040203@redhat.com> The Dogtag team is proud to announce the seventh errata build for Dogtag 10.0. Builds are available for Fedora 19. == Build Versions == dogtag-pki-10.0.7-1 dogtag-pki-theme-10.0.7-1 pki-console-10.0.7-1 pki-core-10.0.7-1 pki-ra-10.0.7-1 pki-tps-10.0.7-1 == Upgrade Notes == Simply use yum to update existing packages. == Highlights since Dogtag 10.0.6 == * This errata fixes three bugs found in Dogtag 10.0.6: * PKI TRAC Ticket #803 - avc generated for useradd in pkispawn scripts Fixed so that useradd does not generate an AVC by closing file descriptors prior to invoking useradd. * PKI TRAC Ticket #868 - REST API get certs links missing segment Fixed links to generate proper URLs (attempted to future-proof this to avoid any issues that might be caused by future re-factoring). * PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys install - systemctl start pki-tomcatd.target fails Fixed problem by adding a 'daemon-reload' method and calling it prior to starting the 'pki-tomcatd' target. == Detailed Changes since Dogtag 10.0.6 == alee (2): #743 Fixed useradd in pkispawn to not generate AVC #868 REST API get certs links missing segment mharmsen(1): #869 Added 'daemon-reload' method From mharmsen at redhat.com Tue Apr 1 17:54:40 2014 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 01 Apr 2014 10:54:40 -0700 Subject: [Pki-users] Announcing the release of Dogtag 10.1.1 Message-ID: <533AFD60.2090001@redhat.com> The Dogtag team is proud to announce the first errata build for Dogtag 10.1. Builds are available for Fedora 20. == Build Versions == dogtag-pki-10.1.1-1 dogtag-pki-theme-10.1.1-1 pki-console-10.1.1-1 pki-core-10.1.1-1 pki-ra-10.1.1-1 pki-tps-10.1.1-1 == Upgrade Notes == Simply use yum to update existing packages. == Highlights since Dogtag 10.1.0 == * This errata fixes four issues found in Dogtag 10.1.0: * PKI TRAC Ticket #840 - pkispawn requires policycoreutils-python Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python Added this runtime dependency to the pki-core package. * PKI TRAC Ticket #868 - REST API get certs links missing segment Fixed links to generate proper URLs (attempted to future-proof this to avoid any issues that might be caused by future re-factoring). * PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys install - systemctl start pki-tomcatd.target fails Fixed problem by adding a 'daemon-reload' method and calling it prior to starting the 'pki-tomcatd' target. * PKI TRAC Ticket #816 - pki-tomcat cannot be started after installation of ipa replica with ca IPA replica installation was failing due to encoding errors when generating the SSL server certificate. To avoid these errors, Dogtag CA clones were fixed by requiring that their SSL server certificates mustalways be signed by the associated Dogtag CA master. == Detailed Changes since Dogtag 10.1.0 == alee(1): #868 REST API get certs links missing segment cfu(1): #816 Sign CA clone sslserver certificate using CA master mharmsen(2): #840 pkispawn requires policycoreutils-python #869 Added 'daemon-reload' method From e-s-g-r at t-online.de Wed Apr 2 12:01:53 2014 From: e-s-g-r at t-online.de (e-s-g-r at t-online.de) Date: Wed, 02 Apr 2014 14:01:53 +0200 Subject: [Pki-users] Dangling jss4.jar symlink on Fedora 20, pkispawn aborts on ipa-server-install Message-ID: <1WVJrd-2gQzIW0@fwd25.aul.t-online.de> Hi, I recently tried to install a testing version of freeipa on fedora 20 and ran into the exact same problem as described here https://bugzilla.redhat.com/show_bug.cgi?id=919476 and https://bugzilla.redhat.com/show_bug.cgi?id=974535 that should (as far as I understand it) already have been solved. What is the best way to fix that manually? The installed versions are: dogtag-pki-server-theme.noarch 10.1.1-1.fc20 @updates-testing pki-server.noarch 10.1.1-1.fc20 @updates-testing Regards ---------------------------------------------------------------- Speicherplatz voll? Spam im Postfach? Jetzt E-Mail-Adresse @t-online.de sichern und sofort sorgenfrei kommunizieren. www.t-online.de/email-kostenlos From alee at redhat.com Wed Apr 2 14:58:12 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 02 Apr 2014 10:58:12 -0400 Subject: [Pki-users] Dangling jss4.jar symlink on Fedora 20, pkispawn aborts on ipa-server-install In-Reply-To: <1WVJrd-2gQzIW0@fwd25.aul.t-online.de> References: <1WVJrd-2gQzIW0@fwd25.aul.t-online.de> Message-ID: <1396450692.28796.7.camel@aleeredhat.laptop> After some investigation/ discussion on IRC, it was found that - for some reason - and its not clear why - the postinstall script for pki-base did not run. On F20, that postinstall script does the following - sed -i -e 's/^JNI_JAR_DIR=.*$/JNI_JAR_DIR=\/usr\/lib\/java/' /usr/share/pki/etc/pki.conf which sets the correct value for JNI_JAR_DIR in /usr/share/pki/etc/pki.conf which is the file parsed by pkispawn and the startup scripts. Setting this parameter manually resolved the issue. Ade On Wed, 2014-04-02 at 14:01 +0200, e-s-g-r at t-online.de wrote: > Hi, > > I recently tried to install a testing version of freeipa on fedora 20 and ran into the exact same problem as described here > > https://bugzilla.redhat.com/show_bug.cgi?id=919476 > > and > > https://bugzilla.redhat.com/show_bug.cgi?id=974535 > > > that should (as far as I understand it) already have been solved. What is the best way to fix that manually? > > > The installed versions are: > > dogtag-pki-server-theme.noarch 10.1.1-1.fc20 @updates-testing > pki-server.noarch 10.1.1-1.fc20 @updates-testing > > > Regards > > > > ---------------------------------------------------------------- > Speicherplatz voll? Spam im Postfach? Jetzt E-Mail-Adresse @t-online.de sichern und sofort sorgenfrei kommunizieren. > www.t-online.de/email-kostenlos > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From thibaut.pouzet at lyra-network.com Thu Apr 3 15:02:27 2014 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Thu, 03 Apr 2014 17:02:27 +0200 Subject: [Pki-users] Disable the cipher RC4 for the web interface Message-ID: <533D7803.4080102@lyra-network.com> Hi, I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a CentOS 6.5 machine. I am scanning my internal networks in order to find vulnerabilities, and trying to fix anything I find. I have found that the HTTPS pki-ca administration interfaces listening on ports 9444 and 9445 were accepting what might be considered as weak ciphers (RC4) for data encryption. I removed those ciphers from /etc/pki-ca/server.xml, and then restarded the daemon, but this had no effects whatsoever on the ciphers availables on these SSL ports. I searched a bit around /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make my changes in order to disable RC4 ciphers for those administration interfaces. I also searched on the Internet & asked on the IRC channel about this issue, with no succes, so here I am. Has anyone already found a way to do this ? Regards, -- Thibaut Pouzet From cfu at redhat.com Thu Apr 3 15:14:08 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 03 Apr 2014 08:14:08 -0700 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533D7803.4080102@lyra-network.com> References: <533D7803.4080102@lyra-network.com> Message-ID: <533D7AC0.7040604@redhat.com> Did you try turning on the strictCiphers and FIPS mode? https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html Search for the word "strictCiphers" and follow the instruction there. For nss softtoken you just need to do steps 14, 15, and 16. Stop server before you begin and start after you are done. hope this helps, Christina On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: > Hi, > > I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a > CentOS 6.5 machine. I am scanning my internal networks in order to > find vulnerabilities, and trying to fix anything I find. I have found > that the HTTPS pki-ca administration interfaces listening on ports > 9444 and 9445 were accepting what might be considered as weak ciphers > (RC4) for data encryption. > > I removed those ciphers from /etc/pki-ca/server.xml, and then > restarded the daemon, but this had no effects whatsoever on the > ciphers availables on these SSL ports. I searched a bit around > /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make my > changes in order to disable RC4 ciphers for those administration > interfaces. > > I also searched on the Internet & asked on the IRC channel about this > issue, with no succes, so here I am. Has anyone already found a way to > do this ? > > Regards, > From thibaut.pouzet at lyra-network.com Thu Apr 3 16:09:27 2014 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Thu, 03 Apr 2014 18:09:27 +0200 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533D7AC0.7040604@redhat.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> Message-ID: <533D87B7.30709@lyra-network.com> Le 03/04/2014 17:14, Christina Fu a ?crit : > Did you try turning on the strictCiphers and FIPS mode? > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html > > > Search for the word "strictCiphers" and follow the instruction there. > For nss softtoken you just need to do steps 14, 15, and 16. Stop > server before you begin and start after you are done. > > hope this helps, > Christina > > On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >> Hi, >> >> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >> CentOS 6.5 machine. I am scanning my internal networks in order to >> find vulnerabilities, and trying to fix anything I find. I have found >> that the HTTPS pki-ca administration interfaces listening on ports >> 9444 and 9445 were accepting what might be considered as weak ciphers >> (RC4) for data encryption. >> >> I removed those ciphers from /etc/pki-ca/server.xml, and then >> restarded the daemon, but this had no effects whatsoever on the >> ciphers availables on these SSL ports. I searched a bit around >> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make my >> changes in order to disable RC4 ciphers for those administration >> interfaces. >> >> I also searched on the Internet & asked on the IRC channel about this >> issue, with no succes, so here I am. Has anyone already found a way >> to do this ? >> >> Regards, >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi Christina, I just did the things listed in the documentation you gave me0, the only effect it had were that SSLv3 related ciphers were disabled. I still have the TLSv1 ciphers using RC4 available obviously -- Thibaut Pouzet From msauton at redhat.com Thu Apr 3 20:12:04 2014 From: msauton at redhat.com (Marc Sauton) Date: Thu, 03 Apr 2014 13:12:04 -0700 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533D87B7.30709@lyra-network.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> <533D87B7.30709@lyra-network.com> Message-ID: <533DC094.3070608@redhat.com> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: > Le 03/04/2014 17:14, Christina Fu a ?crit : >> Did you try turning on the strictCiphers and FIPS mode? >> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html >> >> >> Search for the word "strictCiphers" and follow the instruction there. >> For nss softtoken you just need to do steps 14, 15, and 16. Stop >> server before you begin and start after you are done. >> >> hope this helps, >> Christina >> >> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>> Hi, >>> >>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >>> CentOS 6.5 machine. I am scanning my internal networks in order to >>> find vulnerabilities, and trying to fix anything I find. I have >>> found that the HTTPS pki-ca administration interfaces listening on >>> ports 9444 and 9445 were accepting what might be considered as weak >>> ciphers (RC4) for data encryption. >>> >>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>> restarded the daemon, but this had no effects whatsoever on the >>> ciphers availables on these SSL ports. I searched a bit around >>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >>> my changes in order to disable RC4 ciphers for those administration >>> interfaces. >>> >>> I also searched on the Internet & asked on the IRC channel about >>> this issue, with no succes, so here I am. Has anyone already found a >>> way to do this ? >>> >>> Regards, >>> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > Hi Christina, > > I just did the things listed in the documentation you gave me0, the > only effect it had were that SSLv3 related ciphers were disabled. I > still have the TLSv1 ciphers using RC4 available obviously > Is it possible in the file /etc/pki-ca/server.xml there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for ssl3Ciphers tls3Ciphers ? Thanks, M. From cfu at redhat.com Thu Apr 3 21:03:59 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 03 Apr 2014 14:03:59 -0700 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533DC094.3070608@redhat.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> <533D87B7.30709@lyra-network.com> <533DC094.3070608@redhat.com> Message-ID: <533DCCBF.402@redhat.com> On 04/03/2014 01:12 PM, Marc Sauton wrote: > On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >> Le 03/04/2014 17:14, Christina Fu a ?crit : >>> Did you try turning on the strictCiphers and FIPS mode? >>> >>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html >>> >>> >>> Search for the word "strictCiphers" and follow the instruction >>> there. For nss softtoken you just need to do steps 14, 15, and 16. >>> Stop server before you begin and start after you are done. >>> >>> hope this helps, >>> Christina >>> >>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>> Hi, >>>> >>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >>>> CentOS 6.5 machine. I am scanning my internal networks in order to >>>> find vulnerabilities, and trying to fix anything I find. I have >>>> found that the HTTPS pki-ca administration interfaces listening on >>>> ports 9444 and 9445 were accepting what might be considered as weak >>>> ciphers (RC4) for data encryption. >>>> >>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>> restarded the daemon, but this had no effects whatsoever on the >>>> ciphers availables on these SSL ports. I searched a bit around >>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >>>> my changes in order to disable RC4 ciphers for those administration >>>> interfaces. >>>> >>>> I also searched on the Internet & asked on the IRC channel about >>>> this issue, with no succes, so here I am. Has anyone already found >>>> a way to do this ? >>>> >>>> Regards, >>>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> Hi Christina, >> >> I just did the things listed in the documentation you gave me0, the >> only effect it had were that SSLv3 related ciphers were disabled. I >> still have the TLSv1 ciphers using RC4 available obviously >> > Is it possible in the file /etc/pki-ca/server.xml > there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for > ssl3Ciphers > tls3Ciphers > ? > Thanks, > M. > yes, that's exactly that. Just remove the ones from tls3Ciphers. What the "strictCiphers" does is to turn off everything but the ones you allow on. Christina > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Thu Apr 3 22:26:58 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 03 Apr 2014 15:26:58 -0700 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533DCCBF.402@redhat.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> <533D87B7.30709@lyra-network.com> <533DC094.3070608@redhat.com> <533DCCBF.402@redhat.com> Message-ID: <533DE032.6090708@redhat.com> I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It appears that it's missing the strictCiphers implementation. I will file a RHEL 6.5 bug for it and hopefully get it fixed. Christina On 04/03/2014 02:03 PM, Christina Fu wrote: > > On 04/03/2014 01:12 PM, Marc Sauton wrote: >> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >>> Le 03/04/2014 17:14, Christina Fu a ?crit : >>>> Did you try turning on the strictCiphers and FIPS mode? >>>> >>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html >>>> >>>> >>>> Search for the word "strictCiphers" and follow the instruction >>>> there. For nss softtoken you just need to do steps 14, 15, and 16. >>>> Stop server before you begin and start after you are done. >>>> >>>> hope this helps, >>>> Christina >>>> >>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>>> Hi, >>>>> >>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >>>>> CentOS 6.5 machine. I am scanning my internal networks in order to >>>>> find vulnerabilities, and trying to fix anything I find. I have >>>>> found that the HTTPS pki-ca administration interfaces listening on >>>>> ports 9444 and 9445 were accepting what might be considered as >>>>> weak ciphers (RC4) for data encryption. >>>>> >>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>>> restarded the daemon, but this had no effects whatsoever on the >>>>> ciphers availables on these SSL ports. I searched a bit around >>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >>>>> my changes in order to disable RC4 ciphers for those >>>>> administration interfaces. >>>>> >>>>> I also searched on the Internet & asked on the IRC channel about >>>>> this issue, with no succes, so here I am. Has anyone already found >>>>> a way to do this ? >>>>> >>>>> Regards, >>>>> >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>> >>> Hi Christina, >>> >>> I just did the things listed in the documentation you gave me0, the >>> only effect it had were that SSLv3 related ciphers were disabled. I >>> still have the TLSv1 ciphers using RC4 available obviously >>> >> Is it possible in the file /etc/pki-ca/server.xml >> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for >> ssl3Ciphers >> tls3Ciphers >> ? >> Thanks, >> M. >> > > yes, that's exactly that. Just remove the ones from tls3Ciphers. What > the "strictCiphers" does is to turn off everything but the ones you > allow on. > > Christina > >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From thibaut.pouzet at lyra-network.com Fri Apr 4 07:53:26 2014 From: thibaut.pouzet at lyra-network.com (Thibaut Pouzet) Date: Fri, 04 Apr 2014 09:53:26 +0200 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533DE032.6090708@redhat.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> <533D87B7.30709@lyra-network.com> <533DC094.3070608@redhat.com> <533DCCBF.402@redhat.com> <533DE032.6090708@redhat.com> Message-ID: <533E64F6.30400@lyra-network.com> Le 04/04/2014 00:26, Christina Fu a ?crit : > I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It > appears that it's missing the strictCiphers implementation. > > I will file a RHEL 6.5 bug for it and hopefully get it fixed. > > Christina > > > On 04/03/2014 02:03 PM, Christina Fu wrote: >> >> On 04/03/2014 01:12 PM, Marc Sauton wrote: >>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >>>> Le 03/04/2014 17:14, Christina Fu a ?crit : >>>>> Did you try turning on the strictCiphers and FIPS mode? >>>>> >>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html >>>>> >>>>> >>>>> Search for the word "strictCiphers" and follow the instruction >>>>> there. For nss softtoken you just need to do steps 14, 15, and 16. >>>>> Stop server before you begin and start after you are done. >>>>> >>>>> hope this helps, >>>>> Christina >>>>> >>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>>>> Hi, >>>>>> >>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on >>>>>> a CentOS 6.5 machine. I am scanning my internal networks in order >>>>>> to find vulnerabilities, and trying to fix anything I find. I >>>>>> have found that the HTTPS pki-ca administration interfaces >>>>>> listening on ports 9444 and 9445 were accepting what might be >>>>>> considered as weak ciphers (RC4) for data encryption. >>>>>> >>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>>>> restarded the daemon, but this had no effects whatsoever on the >>>>>> ciphers availables on these SSL ports. I searched a bit around >>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to >>>>>> make my changes in order to disable RC4 ciphers for those >>>>>> administration interfaces. >>>>>> >>>>>> I also searched on the Internet & asked on the IRC channel about >>>>>> this issue, with no succes, so here I am. Has anyone already >>>>>> found a way to do this ? >>>>>> >>>>>> Regards, >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>> >>>> Hi Christina, >>>> >>>> I just did the things listed in the documentation you gave me0, the >>>> only effect it had were that SSLv3 related ciphers were disabled. I >>>> still have the TLSv1 ciphers using RC4 available obviously >>>> >>> Is it possible in the file /etc/pki-ca/server.xml >>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for >>> ssl3Ciphers >>> tls3Ciphers >>> ? >>> Thanks, >>> M. >>> >> >> yes, that's exactly that. Just remove the ones from tls3Ciphers. >> What the "strictCiphers" does is to turn off everything but the ones >> you allow on. >> >> Christina Hi, Marc : I removed all RC4 ciphers from the file with the vim command %s/+[A-Z_312568]*RC4[A-Z_123568]*,//g and double-checked a couple of time, there is no way I missed this and that there are still RC4 ciphers manually enabled inside this file. Christina : Allright, let us know when you filled the bug with the technical elements you found ! I'll be glad to follow this, thank you for your time searching for this ! Cheers, -- Thibaut Pouzet Lyra Network Ing?nieur Syst?mes et R?seaux (+33) 5 31 22 40 08 www.lyra-network.com From cfu at redhat.com Fri Apr 4 15:14:29 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 04 Apr 2014 08:14:29 -0700 Subject: [Pki-users] Disable the cipher RC4 for the web interface In-Reply-To: <533E64F6.30400@lyra-network.com> References: <533D7803.4080102@lyra-network.com> <533D7AC0.7040604@redhat.com> <533D87B7.30709@lyra-network.com> <533DC094.3070608@redhat.com> <533DCCBF.402@redhat.com> <533DE032.6090708@redhat.com> <533E64F6.30400@lyra-network.com> Message-ID: <533ECC55.3090805@redhat.com> https://fedorahosted.org/pki/ticket/943 - tomcatjss missing strictCiphers implementation Christina On 04/04/2014 12:53 AM, Thibaut Pouzet wrote: > Le 04/04/2014 00:26, Christina Fu a ?crit : >> I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It >> appears that it's missing the strictCiphers implementation. >> >> I will file a RHEL 6.5 bug for it and hopefully get it fixed. >> >> Christina >> >> >> On 04/03/2014 02:03 PM, Christina Fu wrote: >>> >>> On 04/03/2014 01:12 PM, Marc Sauton wrote: >>>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >>>>> Le 03/04/2014 17:14, Christina Fu a ?crit : >>>>>> Did you try turning on the strictCiphers and FIPS mode? >>>>>> >>>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html >>>>>> >>>>>> >>>>>> Search for the word "strictCiphers" and follow the instruction >>>>>> there. For nss softtoken you just need to do steps 14, 15, and >>>>>> 16. Stop server before you begin and start after you are done. >>>>>> >>>>>> hope this helps, >>>>>> Christina >>>>>> >>>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on >>>>>>> a CentOS 6.5 machine. I am scanning my internal networks in >>>>>>> order to find vulnerabilities, and trying to fix anything I >>>>>>> find. I have found that the HTTPS pki-ca administration >>>>>>> interfaces listening on ports 9444 and 9445 were accepting what >>>>>>> might be considered as weak ciphers (RC4) for data encryption. >>>>>>> >>>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>>>>> restarded the daemon, but this had no effects whatsoever on the >>>>>>> ciphers availables on these SSL ports. I searched a bit around >>>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to >>>>>>> make my changes in order to disable RC4 ciphers for those >>>>>>> administration interfaces. >>>>>>> >>>>>>> I also searched on the Internet & asked on the IRC channel about >>>>>>> this issue, with no succes, so here I am. Has anyone already >>>>>>> found a way to do this ? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Pki-users mailing list >>>>>> Pki-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>> >>>>> >>>>> Hi Christina, >>>>> >>>>> I just did the things listed in the documentation you gave me0, >>>>> the only effect it had were that SSLv3 related ciphers were >>>>> disabled. I still have the TLSv1 ciphers using RC4 available >>>>> obviously >>>>> >>>> Is it possible in the file /etc/pki-ca/server.xml >>>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for >>>> ssl3Ciphers >>>> tls3Ciphers >>>> ? >>>> Thanks, >>>> M. >>>> >>> >>> yes, that's exactly that. Just remove the ones from tls3Ciphers. >>> What the "strictCiphers" does is to turn off everything but the ones >>> you allow on. >>> >>> Christina > > Hi, > > Marc : > I removed all RC4 ciphers from the file with the vim command > %s/+[A-Z_312568]*RC4[A-Z_123568]*,//g and double-checked a couple of > time, there is no way I missed this and that there are still RC4 > ciphers manually enabled inside this file. > > Christina : > Allright, let us know when you filled the bug with the technical > elements you found ! I'll be glad to follow this, thank you for your > time searching for this ! > > Cheers, > From Sam.Fakhreddine at ledcor.com Wed Apr 9 20:33:36 2014 From: Sam.Fakhreddine at ledcor.com (Sam Fakhreddine) Date: Wed, 9 Apr 2014 20:33:36 +0000 Subject: [Pki-users] Setting up a CA for the first time: Import CA's Certificate Chain Message-ID: <27ADA94DF4E13741B4441392A46095A80A2D1E56@LMAVEM4.ledcor.net> Hello, I have setup my CA and was going through the CA setup wizard. However when I get to: Import CA's Certificate Chain part of the wizard, it just SPINS in Chrome and throws a 1b6 error in Internet explorer. Are there any work arounds? Sam Fakhreddine Site Systems Administrator Ledcor Industries Inc., Information Services 7008 Roper Road NW, Edmnoton, AB T6B 3H2 p 780-395-5455 | c 780-996-0763 www.ledcor.com FORWARD. TOGETHER. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Wed Apr 23 19:19:14 2014 From: cfu at redhat.com (Christina Fu) Date: Wed, 23 Apr 2014 12:19:14 -0700 Subject: [Pki-users] Backward Compatibility discussion meeting result Message-ID: <53581232.7010808@redhat.com> http://pki.fedoraproject.org/wiki/Dogtag_Future_Directions#Backward_Compatibility