[Pki-users] Disable the cipher RC4 for the web interface
Marc Sauton
msauton at redhat.com
Thu Apr 3 20:12:04 UTC 2014
On 04/03/2014 09:09 AM, Thibaut Pouzet wrote:
> Le 03/04/2014 17:14, Christina Fu a écrit :
>> Did you try turning on the strictCiphers and FIPS mode?
>>
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html
>>
>>
>> Search for the word "strictCiphers" and follow the instruction there.
>> For nss softtoken you just need to do steps 14, 15, and 16. Stop
>> server before you begin and start after you are done.
>>
>> hope this helps,
>> Christina
>>
>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>>> Hi,
>>>
>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a
>>> CentOS 6.5 machine. I am scanning my internal networks in order to
>>> find vulnerabilities, and trying to fix anything I find. I have
>>> found that the HTTPS pki-ca administration interfaces listening on
>>> ports 9444 and 9445 were accepting what might be considered as weak
>>> ciphers (RC4) for data encryption.
>>>
>>> I removed those ciphers from /etc/pki-ca/server.xml, and then
>>> restarded the daemon, but this had no effects whatsoever on the
>>> ciphers availables on these SSL ports. I searched a bit around
>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make
>>> my changes in order to disable RC4 ciphers for those administration
>>> interfaces.
>>>
>>> I also searched on the Internet & asked on the IRC channel about
>>> this issue, with no succes, so here I am. Has anyone already found a
>>> way to do this ?
>>>
>>> Regards,
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
> Hi Christina,
>
> I just did the things listed in the documentation you gave me0, the
> only effect it had were that SSLv3 related ciphers were disabled. I
> still have the TLSv1 ciphers using RC4 available obviously
>
Is it possible in the file /etc/pki-ca/server.xml
there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for
ssl3Ciphers
tls3Ciphers
?
Thanks,
M.
More information about the Pki-users
mailing list