[Pki-users] Disable the cipher RC4 for the web interface

Christina Fu cfu at redhat.com
Thu Apr 3 22:26:58 UTC 2014 

I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It 
appears that it's missing the strictCiphers implementation.

I will file a RHEL 6.5 bug for it and hopefully get it fixed.

Christina


On 04/03/2014 02:03 PM, Christina Fu wrote:
>
> On 04/03/2014 01:12 PM, Marc Sauton wrote:
>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote:
>>> Le 03/04/2014 17:14, Christina Fu a écrit :
>>>> Did you try turning on the strictCiphers and FIPS mode?
>>>>
>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html 
>>>>
>>>>
>>>> Search for the word "strictCiphers" and follow the instruction 
>>>> there. For nss softtoken you just need to do steps 14, 15, and 16. 
>>>> Stop server before you begin and start after you are done.
>>>>
>>>> hope this helps,
>>>> Christina
>>>>
>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>>>>> Hi,
>>>>>
>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a 
>>>>> CentOS 6.5 machine. I am scanning my internal networks in order to 
>>>>> find vulnerabilities, and trying to fix anything I find. I have 
>>>>> found that the HTTPS pki-ca administration interfaces listening on 
>>>>> ports 9444 and 9445 were accepting what might be considered as 
>>>>> weak ciphers (RC4) for data encryption.
>>>>>
>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then 
>>>>> restarded the daemon, but this had no effects whatsoever on the 
>>>>> ciphers availables on these SSL ports. I searched a bit around 
>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make 
>>>>> my changes in order to disable RC4 ciphers for those 
>>>>> administration interfaces.
>>>>>
>>>>> I also searched on the Internet & asked on the IRC channel about 
>>>>> this issue, with no succes, so here I am. Has anyone already found 
>>>>> a way to do this ?
>>>>>
>>>>> Regards,
>>>>>
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>> Hi Christina,
>>>
>>> I just did the things listed in the documentation you gave me0, the 
>>> only effect it had were that SSLv3 related ciphers were disabled. I 
>>> still have the TLSv1 ciphers using RC4 available obviously
>>>
>> Is it possible in the file /etc/pki-ca/server.xml
>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for
>> ssl3Ciphers
>> tls3Ciphers
>> ?
>> Thanks,
>> M.
>>
>
> yes, that's exactly that.  Just remove the ones from tls3Ciphers. What 
> the "strictCiphers" does is to turn off everything but the ones you 
> allow on.
>
> Christina
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list