Discussion:
[Freeipa-users] TLS 1.2 for PKI+SLAPD
Callum Guy
2017-04-27 18:55:39 UTC
Permalink
Hi All,

I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.

I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.

Also i'm very much hoping not to break my installation!

Does anyone have experience in this area?

Best Regards,

Callum
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
Rob Crittenden
2017-04-27 19:16:07 UTC
Permalink
Post by Callum Guy
Hi All,
I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.
I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.
Also i'm very much hoping not to break my installation!
Does anyone have experience in this area?
It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Callum Guy
2017-04-27 19:23:00 UTC
Permalink
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if i
run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice
Post by Rob Crittenden
Post by Callum Guy
Hi All,
I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.
I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.
Also i'm very much hoping not to break my installation!
Does anyone have experience in this area?
It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.
rob
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
Callum Guy
2017-04-27 21:01:51 UTC
Permalink
For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0

Directory server change suggested on the link are for an older version.
Minimum TLS support can be altered as follows:

*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*

dn: cn=encryption,cn=config

allowWeakCipher: off

cn: encryption

createTimestamp: 20161130110528Z

creatorsName: cn=server,cn=plugins,cn=config

modifiersName: cn=Directory Manager

modifyTimestamp: 20161213085006Z

nsSSLClientAuth: allowed

nsSSLSessionTimeout: 0

nsSSL3Ciphers: default

objectClass: top

objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2

I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
article however its all tokenized as shown below:

203 sslOptions="[TOMCAT_SSL_OPTIONS]"
204 ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205 ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206 tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207 sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208 sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209 sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"

I'll feed back if i work it out.

Thanks,
Post by Callum Guy
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
i run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice
Post by Rob Crittenden
Post by Callum Guy
Hi All,
I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.
I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.
Also i'm very much hoping not to break my installation!
Does anyone have experience in this area?
It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.
rob
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
Callum Guy
2017-04-27 21:50:45 UTC
Permalink
Managed to get PKI/Tomcat patched for TLS 1.2.

*/etc/pki/pki-tomcat/server.xml*
*...*
* sslVersionRangeStream="tls1_2:tls1_2" *

*sslVersionRangeDatagram="tls1_2:tls1_2" *

*...*
Thanks, resolved.
Post by Callum Guy
For others reference this is regarding CentOS 7.2 with FreeIPA 4.4.0
Directory server change suggested on the link are for an older version.
*/etc/dirsrv/slapd-DOMAIN.COM/dse.ldif*
dn: cn=encryption,cn=config
allowWeakCipher: off
cn: encryption
createTimestamp: 20161130110528Z
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=Directory Manager
modifyTimestamp: 20161213085006Z
nsSSLClientAuth: allowed
nsSSLSessionTimeout: 0
nsSSL3Ciphers: default
objectClass: top
objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2
I'm still working on port 8443 (DogTag/PKI/Tomcat) - configuration in
/usr/share/pki/server/conf/server.xml seems to roughly match the linked
203 sslOptions="[TOMCAT_SSL_OPTIONS]"
204 ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]"
205 ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]"
206 tlsCiphers="[TOMCAT_TLS_CIPHERS]"
207 sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
208
sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
209 sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
I'll feed back if i work it out.
Thanks,
Post by Callum Guy
Thanks so much for the link Rob - i'm on 4.4.0. I'll get back in touch if
i run into any issues - i find it difficult to locate these help pages so
really do appreciate the advice
Post by Rob Crittenden
Post by Callum Guy
Hi All,
I'm currently looking at hardening my FreeIPA server as part of a PCI
assessment.
I am hoping to be able to fix PKI (ports 8443) and SLAPD (LDAPS) to use
only TLS1.2 - both currently support TLS1.0 and unfortunately that is
non-compliant for my environment.
Also i'm very much hoping not to break my installation!
Does anyone have experience in this area?
It depends very much on what version you are running but see
https://access.redhat.com/articles/2801181 for inspiration.
rob
--
*0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> | **
<https://www.linkedin.com/company/x-on> <https://www.facebook.com/XonTel>
<https://twitter.com/xonuk> *
X-on is a trading name of Storacall Technology Ltd a limited company
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the
addressee(s) only. If you are not the intended recipient, please notify
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not
use, disclose, disseminate, distribute, copy, print or reply to this email. Views
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its
associated companies. Although X-on routinely screens for viruses,
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of
viruses in this email or any attachments.
Loading...