[Pki-users] Disable the cipher RC4 for the web interface

Fri Apr 4 15:14:29 UTC 2014

https://fedorahosted.org/pki/ticket/943
  - tomcatjss missing strictCiphers implementation

Christina

On 04/04/2014 12:53 AM, Thibaut Pouzet wrote:
> Le 04/04/2014 00:26, Christina Fu a écrit :
>> I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It 
>> appears that it's missing the strictCiphers implementation.
>>
>> I will file a RHEL 6.5 bug for it and hopefully get it fixed.
>>
>> Christina
>>
>>
>> On 04/03/2014 02:03 PM, Christina Fu wrote:
>>>
>>> On 04/03/2014 01:12 PM, Marc Sauton wrote:
>>>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote:
>>>>> Le 03/04/2014 17:14, Christina Fu a écrit :
>>>>>> Did you try turning on the strictCiphers and FIPS mode?
>>>>>>
>>>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html-single/Deploy_and_Install_Guide/index.html 
>>>>>>
>>>>>>
>>>>>> Search for the word "strictCiphers" and follow the instruction 
>>>>>> there. For nss softtoken you just need to do steps 14, 15, and 
>>>>>> 16. Stop server before you begin and start after you are done.
>>>>>>
>>>>>> hope this helps,
>>>>>> Christina
>>>>>>
>>>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on 
>>>>>>> a CentOS 6.5 machine. I am scanning my internal networks in 
>>>>>>> order to find vulnerabilities, and trying to fix anything I 
>>>>>>> find. I have found that the HTTPS pki-ca administration 
>>>>>>> interfaces listening on ports 9444 and 9445 were accepting what 
>>>>>>> might be considered as weak ciphers (RC4) for data encryption.
>>>>>>>
>>>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then 
>>>>>>> restarded the daemon, but this had no effects whatsoever on the 
>>>>>>> ciphers availables on these SSL ports. I searched a bit around 
>>>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to 
>>>>>>> make my changes in order to disable RC4 ciphers for those 
>>>>>>> administration interfaces.
>>>>>>>
>>>>>>> I also searched on the Internet & asked on the IRC channel about 
>>>>>>> this issue, with no succes, so here I am. Has anyone already 
>>>>>>> found a way to do this ?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Pki-users mailing list
>>>>>> Pki-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>>>>
>>>>> Hi Christina,
>>>>>
>>>>> I just did the things listed in the documentation you gave me0, 
>>>>> the only effect it had were that SSLv3 related ciphers were 
>>>>> disabled. I still have the TLSv1 ciphers using RC4 available 
>>>>> obviously
>>>>>
>>>> Is it possible in the file /etc/pki-ca/server.xml
>>>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for
>>>> ssl3Ciphers
>>>> tls3Ciphers
>>>> ?
>>>> Thanks,
>>>> M.
>>>>
>>>
>>> yes, that's exactly that.  Just remove the ones from tls3Ciphers. 
>>> What the "strictCiphers" does is to turn off everything but the ones 
>>> you allow on.
>>>
>>> Christina
>
> Hi,
>
> Marc :
> I removed all RC4 ciphers from the file with the vim command 
> %s/+[A-Z_312568]*RC4[A-Z_123568]*,//g  and double-checked a couple of 
> time, there is no way I missed this and that there are still RC4 
> ciphers manually enabled inside this file.
>
> Christina :
> Allright, let us know when you filled the bug with the technical 
> elements you found ! I'll be glad to follow this, thank you for your 
> time searching for this !
>
> Cheers,
>