[Pki-users] Disable the cipher RC4 for the web interface
Thibaut Pouzet
thibaut.pouzet at lyra-network.com
Thu Apr 3 16:09:27 UTC 2014
Le 03/04/2014 17:14, Christina Fu a écrit :
> Did you try turning on the strictCiphers and FIPS mode?
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html
>
>
> Search for the word "strictCiphers" and follow the instruction there.
> For nss softtoken you just need to do steps 14, 15, and 16. Stop
> server before you begin and start after you are done.
>
> hope this helps,
> Christina
>
> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>> Hi,
>>
>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a
>> CentOS 6.5 machine. I am scanning my internal networks in order to
>> find vulnerabilities, and trying to fix anything I find. I have found
>> that the HTTPS pki-ca administration interfaces listening on ports
>> 9444 and 9445 were accepting what might be considered as weak ciphers
>> (RC4) for data encryption.
>>
>> I removed those ciphers from /etc/pki-ca/server.xml, and then
>> restarded the daemon, but this had no effects whatsoever on the
>> ciphers availables on these SSL ports. I searched a bit around
>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make my
>> changes in order to disable RC4 ciphers for those administration
>> interfaces.
>>
>> I also searched on the Internet & asked on the IRC channel about this
>> issue, with no succes, so here I am. Has anyone already found a way
>> to do this ?
>>
>> Regards,
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
Hi Christina,
I just did the things listed in the documentation you gave me0, the only
effect it had were that SSLv3 related ciphers were disabled. I still
have the TLSv1 ciphers using RC4 available obviously
--
Thibaut Pouzet
More information about the Pki-users
mailing list