[Pki-users] Disable the cipher RC4 for the web interface

Fri Apr 4 07:53:26 UTC 2014

Le 04/04/2014 00:26, Christina Fu a écrit :
> I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It 
> appears that it's missing the strictCiphers implementation.
>
> I will file a RHEL 6.5 bug for it and hopefully get it fixed.
>
> Christina
>
>
> On 04/03/2014 02:03 PM, Christina Fu wrote:
>>
>> On 04/03/2014 01:12 PM, Marc Sauton wrote:
>>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote:
>>>> Le 03/04/2014 17:14, Christina Fu a écrit :
>>>>> Did you try turning on the strictCiphers and FIPS mode?
>>>>>
>>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html 
>>>>>
>>>>>
>>>>> Search for the word "strictCiphers" and follow the instruction 
>>>>> there. For nss softtoken you just need to do steps 14, 15, and 16. 
>>>>> Stop server before you begin and start after you are done.
>>>>>
>>>>> hope this helps,
>>>>> Christina
>>>>>
>>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on 
>>>>>> a CentOS 6.5 machine. I am scanning my internal networks in order 
>>>>>> to find vulnerabilities, and trying to fix anything I find. I 
>>>>>> have found that the HTTPS pki-ca administration interfaces 
>>>>>> listening on ports 9444 and 9445 were accepting what might be 
>>>>>> considered as weak ciphers (RC4) for data encryption.
>>>>>>
>>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then 
>>>>>> restarded the daemon, but this had no effects whatsoever on the 
>>>>>> ciphers availables on these SSL ports. I searched a bit around 
>>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to 
>>>>>> make my changes in order to disable RC4 ciphers for those 
>>>>>> administration interfaces.
>>>>>>
>>>>>> I also searched on the Internet & asked on the IRC channel about 
>>>>>> this issue, with no succes, so here I am. Has anyone already 
>>>>>> found a way to do this ?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Pki-users mailing list
>>>>> Pki-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>>>>
>>>> Hi Christina,
>>>>
>>>> I just did the things listed in the documentation you gave me0, the 
>>>> only effect it had were that SSLv3 related ciphers were disabled. I 
>>>> still have the TLSv1 ciphers using RC4 available obviously
>>>>
>>> Is it possible in the file /etc/pki-ca/server.xml
>>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for
>>> ssl3Ciphers
>>> tls3Ciphers
>>> ?
>>> Thanks,
>>> M.
>>>
>>
>> yes, that's exactly that.  Just remove the ones from tls3Ciphers. 
>> What the "strictCiphers" does is to turn off everything but the ones 
>> you allow on.
>>
>> Christina

Hi,

Marc :
I removed all RC4 ciphers from the file with the vim command 
%s/+[A-Z_312568]*RC4[A-Z_123568]*,//g  and double-checked a couple of 
time, there is no way I missed this and that there are still RC4 ciphers 
manually enabled inside this file.

Christina :
Allright, let us know when you filled the bug with the technical 
elements you found ! I'll be glad to follow this, thank you for your 
time searching for this !

Cheers,

-- 
Thibaut Pouzet
Lyra Network
Ingénieur Systèmes et Réseaux
(+33) 5 31 22 40 08
www.lyra-network.com