[Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hello,
ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
Tenable is showing the use of weak ciphers along with freak
vulnerabilities. I have followed
https://access.redhat.com/solutions/675183 however issues remain in the
ciphers being used.

$ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
5f3c87e Ticket #47838 - harden the list of ciphers available by default
$ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1
389-ds-base-1.3.4.0

This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0.
This should explain your failures below.

Post by Sean Hogan
I have also modified dse.ldif with the following from
http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports
With ipa stopped I modified dse with below
odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1
I turn on ipa and get
Starting Directory Service
PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)

attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

Post by Sean Hogan
nss.conf
# new config to stop using weak ciphers.
NSSCipherSuite
-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
server.xml
clientAuth="true"
sslOptions="ssl2=off,ssl3=off,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?

FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs.
https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on

Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes
and for the script to generate proper lists.

--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-27 17:22:32 UTC

Hello Alexander

I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this. At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0. I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html

Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

Sean Hogan

From: Alexander Bokovoy <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: freeipa-users <freeipa-***@redhat.com>
Date: 04/26/2016 11:52 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
I have also modified dse.ldif with the following from

http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports

Post by Sean Hogan
With ipa stopped I modified dse with below
odifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha
allowWeakCipher: off
numSubordinates: 1
I turn on ipa and get
Starting Directory Service
PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry
"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed
So I go back into the file and allowWeakCipher now shows allowweakcipher
(caps for W and C are now lower case)

attribute names are case-insensitive and normalized to a lower case.
Anyway, just don't use allowweakcipher in older 389-ds-base version.

Alexander Bokovoy

2016-04-27 17:35:02 UTC

Post by Sean Hogan
Hello Alexander
I knew the below which is why I added my DS rpm version in the orig email
which made sense to me but per 389 DS docs alloowweakcipher starts in
1.3.3.2 in case anyone else reads this. At least thats what the docs say
but you may know something where it actually does not work til 1.3.4.0. I
dunno
http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html
Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

All I said is that we fixed this particular issue to make sure defaults
in 4.3.1 reflect current status quo on SSL ciphers.

If you want to have a similar setup with 3.0.47, you are welcome to
improve the configuration based on the effort we did for 4.3.1.

Notice that I said nothing about incapability of either deployment to
handle this, not sure where you were able to read that from.

--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-27 17:53:22 UTC

Hi Alex,

Just wanted to make sure.. needed to know if I had to upgrade or spend
more time trial and erroring this out.

So since my nmap is showing this
[***@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636
`hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT
Nmap scan report for
Host is up (0.000090s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS
actually names this to be and it looks like these have to be removed

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha

tls_dhe_dss_1024_rc4_sha

tls_rsa_export1024_with_rc4_56_sh

I stopped IPA with ipactl stop
modified dse.ldif with this

nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
allowweakcipher: off
numSubordinates: 1

Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

***@server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT
Nmap scan report for
Host is up (0.000078s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Am I doing something wrong here?

Sean Hogan

From: Alexander Bokovoy <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS
Cc: freeipa-users <freeipa-***@redhat.com>
Date: 04/27/2016 10:35 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html

Post by Sean Hogan
Additionally I want to clarify the comment 4.3.1 has this as default setup.
Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a
stronger ssl config and that anyone who needs tighter cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7

Martin Kosek

2016-04-27 08:43:22 UTC

Post by Sean Hogan
Hello,
ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
Tenable is showing the use of weak ciphers along with freak vulnerabilities. I
have followed
https://access.redhat.com/solutions/675183 however issues remain in the ciphers
being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-27 16:33:26 UTC

Hi Martin,

Thanks for the response. We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.

Sean Hogan

From: Martin Kosek <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, freeipa-users
<freeipa-***@redhat.com>
Date: 04/27/2016 01:43 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hello,
ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
Tenable is showing the use of weak ciphers along with freak

vulnerabilities. I

Post by Sean Hogan
have followed
https://access.redhat.com/solutions/675183 however issues remain in the ciphers
being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

Sean Hogan

2016-04-27 16:59:59 UTC

I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.000078s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821 Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
DescriptionâšThe remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

And 636 and 389 for

Plugin ID: 81606 port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

So I do see RC4 and the exports so I guess I can - those in the dse.ldif

From: Sean Hogan/Durham/IBM
To: Martin Kosek <***@redhat.com>
Cc: freeipa-users <freeipa-***@redhat.com>
Date: 04/27/2016 09:33 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin,

Thanks for the response. We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.

Sean Hogan

From: Martin Kosek <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, freeipa-users
<freeipa-***@redhat.com>
Date: 04/27/2016 01:43 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hello,
ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
Tenable is showing the use of weak ciphers along with freak

vulnerabilities. I

Post by Sean Hogan
have followed
https://access.redhat.com/solutions/675183 however issues remain in the ciphers
being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

Sean Hogan

2016-04-27 23:23:50 UTC

Hi Martin,

No joy on placing - in front of the RC4s

I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1

But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that
I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really
understanding where it is coming from cept the +all from DS but the -
should be negating that?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

It seems no matter what config I put into nss.conf or dse.ldif nothing
changes with my nmap results. Is there supposed to be a be a section to
add TLS ciphers instead of SSL

Sean Hogan

From: Sean Hogan/Durham/IBM
To: Martin Kosek <***@redhat.com>
Cc: freeipa-users <freeipa-***@redhat.com>
Date: 04/27/2016 09:59 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

I ran the following:
nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT
Nmap scan report for bob
Host is up (0.000078s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821 Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
DescriptionâšThe remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

And 636 and 389 for

Plugin ID: 81606 port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

So I do see RC4 and the exports so I guess I can - those in the dse.ldif

From: Sean Hogan/Durham/IBM
To: Martin Kosek <***@redhat.com>
Cc: freeipa-users <freeipa-***@redhat.com>
Date: 04/27/2016 09:33 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Hi Martin,

Thanks for the response. We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.

Sean Hogan

From: Martin Kosek <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, freeipa-users
<freeipa-***@redhat.com>
Date: 04/27/2016 01:43 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hello,
ipa-server-3.0.0-47.el6_7.1.x86_64
389-ds-base-1.2.11.15-68.el6_7.x86_64
Tenable is showing the use of weak ciphers along with freak

vulnerabilities. I

Post by Sean Hogan
have followed
https://access.redhat.com/solutions/675183 however issues remain in the ciphers
being used.

Can you show the full report, so that we can see what's wrong? What I am
looking for also is if the problem is LDAPS port or HTTPS port, so that we
are
not fixing wrong service.

DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this
bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1154687

Further hardening comes with FreeIPA 4.3.1+:
https://fedorahosted.org/freeipa/ticket/5684
https://fedorahosted.org/freeipa/ticket/5589

(it should appear in RHEL-7.3+)

Martin

Martin Kosek

2016-04-28 10:06:07 UTC

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
where it is coming from cept the +all from DS but the - should be negating that?
Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
It seems no matter what config I put into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be a section to add TLS ciphers
instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation. Just to be sure, when you are modifying dse.ldif, the procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten later.

In any case, the ciphers with RHEL-6 should be secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap taken on
FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
Host is up (0.18s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Ludwig Krispenz

2016-04-28 11:26:04 UTC

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.

but the below comments about changing ciphers in dse.ldif could help in
using the "old" way to set ciphers

Post by Martin Kosek
Just to be sure, when you are modifying dse.ldif, the procedure
1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service
Otherwise it won't get applied and will get overwritten later.
In any case, the ciphers with RHEL-6 should be secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for example an nmap taken on
$ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99)
Host is up (0.18s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds
Martin

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Ludwig Krispenz

2016-04-28 11:34:14 UTC

wanted to add Noriko, but hit send to quickly

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no
protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
where it is coming from cept the +all from DS but the - should be negating that?
Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
It seems no matter what config I put into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be a section to add TLS ciphers
instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
but the below comments about changing ciphers in dse.ldif could help
in using the "old" way to set ciphers

Sean Hogan

2016-04-28 15:20:44 UTC

Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start. Go back into
dse.ldif and modify til it comes back up.

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397

From: Ludwig Krispenz <***@redhat.com>
To: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/28/2016 04:46 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
Sent by: freeipa-users-***@redhat.com

wanted to add Noriko, but hit send to quickly

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite

+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

Post by Sean Hogan
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no
protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
where it is coming from cept the +all from DS but the - should be negating that?
Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at
2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
It seems no matter what config I put into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be a section to add TLS ciphers
instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
but the below comments about changing ciphers in dse.ldif could help
in using the "old" way to set ciphers

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
Michael O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-28 15:34:34 UTC

Tenable is barking about the following.. only listing 636 but the same
applies for 389

Plugin ID: 65821 Port 636

Synopsis: The remote service supports the use of the RC4 cipher.
DescriptionâšThe remote host supports the use of RC4 in one or more cipher
suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of
bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

And 636 and 389 for

Plugin ID: 81606 port 389
Synopsis: The remote host supports a set of weak ciphers.
Description The remote host supports EXPORT_RSA cipher suites with keys
less than or equal to 512 bits. An attacker can factor a 512-bit RSA
modulus in a short amount of time.
A man-in-the middle attacker may be able to downgrade the session to use
EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to
remove support for weak cipher suites.

This is whay I was trying to remove -tls_rsa_export1024_with_rc4_56_sha

Sean Hogan

From: Sean Hogan/Durham/IBM
To: Ludwig Krispenz <***@redhat.com>
Cc: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/28/2016 08:20 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start. Go back into
dse.ldif and modify til it comes back up.

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397

From: Ludwig Krispenz <***@redhat.com>
To: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/28/2016 04:46 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
Sent by: freeipa-users-***@redhat.com

wanted to add Noriko, but hit send to quickly

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
but the below comments about changing ciphers in dse.ldif could help
in using the "old" way to set ciphers

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-28 17:09:50 UTC

Hey guys.. yes I so want to upgrade to 4.x however not in my control right
now and can not really discuss. I see us stuck at 3.x for a while.

Sean Hogan

From: Sean Hogan/Durham/IBM
To: Ludwig Krispenz <***@redhat.com>
Cc: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/28/2016 08:20 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start. Go back into
dse.ldif and modify til it comes back up.

Sean Hogan

From: Ludwig Krispenz <***@redhat.com>
To: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/28/2016 04:46 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
Sent by: freeipa-users-***@redhat.com

wanted to add Noriko, but hit send to quickly

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
but the below comments about changing ciphers in dse.ldif could help
in using the "old" way to set ciphers

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
Michael O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Noriko Hosoi

2016-04-28 18:06:08 UTC

Thank you for including me in the loop, Ludwig.

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

Post by Ludwig Krispenz
wanted to add Noriko, but hit send to quickly

Post by Sean Hogan
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding
where it is coming from cept the +all from DS but the - should be negating that?
Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-27 17:37 EDT
Nmap scan report for rtpvxl0077.watson.local (10.110.76.242)
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
It seems no matter what config I put into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be a section to add TLS ciphers
instead of SSL

Not sure now, CCing Ludwig who was involved in the original RHEL-6
implementation.

If I remember correctly we did the change in default ciphers and the
option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
but the below comments about changing ciphers in dse.ldif could help
in using the "old" way to set ciphers

Sean Hogan

2016-04-28 23:15:52 UTC

Hi Noriko,

Thanks for the suggestions,

I had to trim out the GCM ciphers in order to get IPA to start back up or
I would get the unknown cipher message

Nmap is still showing the same 13 ciphers as before though like nothing had
changed and I did ipactl stop, made modification, ipactl start

tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 18:44 EDT
Nmap scan report for
Host is up (0.000053s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Current Config:

dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_

rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha

,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1

nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Does nss.conf have anything to do with the dir srv ciphers? I know the 389
docs says they are tied together so the way I have been looking at it is
nss.conf lists the allowed ciphers where dse.ldif lists which ones to use
for 389 from nss.conf. Is that correct? Is there any other place where
ciphers would be ignored?

nss-3.19.1-8.el6_7.x86_64
sssd-ipa-1.12.4-47.el6_7.4.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-47.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64

I need to get rid of any rc4s

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397

From: Noriko Hosoi <***@redhat.com>
To: Ludwig Krispenz <***@redhat.com>, freeipa-***@redhat.com
Date: 04/28/2016 12:08 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
Sent by: freeipa-users-***@redhat.com

Thank you for including me in the loop, Ludwig.

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding
Noriko to get confirmation.

Ludwig is right. The way how to set nsSSL3Ciphers has been changed since
1.3.3 which is available on RHEL-7.

This is one of the newly supported values of nsSSL3Ciphers:
Notes: if the value contains +all, then -<cipher> is removed from the
list.
http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1
On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if
"+all" is found in the value, all the available ciphers are enabled.

To workaround it, could you try explicitely setting ciphers as follows?
nsSSL3Ciphers:
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,

+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,

+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

Thanks,
--noriko

On 04/28/2016 04:34 AM, Ludwig Krispenz wrote:
wanted to add Noriko, but hit send to quickly

On 04/28/2016 01:26 PM, Ludwig Krispenz wrote:

On 04/28/2016 12:06 PM, Martin Kosek wrote:
On 04/28/2016 01:23 AM, Sean Hogan wrote:
Hi Martin,

No joy on placing - in front of the RC4s

I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha

# SSL Protocol:
# Cryptographic protocols that provide
communication security.
# NSS handles the specified protocols as "ranges",
and automatically
# negotiates the use of the strongest protocol for
a connection starting
# with the maximum specified protocol and
downgrading as necessary to the
# minimum specified protocol that can be used
between two processes.
# Since all protocol ranges are completely
inclusive, and no protocol in the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

dse.ldif

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1

But I still get this with nmap.. I thought the
above would remove
-tls_rsa_export1024_with_rc4_56_sha but still
showing. Is it the fact that I am not
offering -tls_rsa_export1024_with_rc4_56_sha? If
so.. not really understanding
where it is coming from cept the +all from DS but
the - should be negating that?

Starting Nmap 5.51 ( http://nmap.org
<http://nmap.org/> ) at 2016-04-27 17:37 EDT
Nmap scan report for
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 0.32
seconds

It seems no matter what config I put into nss.conf
or dse.ldif nothing changes
with my nmap results. Is there supposed to be a be
a section to add TLS ciphers
instead of SSL
Not sure now, CCing Ludwig who was involved in the
original RHEL-6
implementation.
If I remember correctly we did the change in default ciphers
and the option for handling in 389-ds > 1.3.3, so it would not
be in RHEL6, adding Noriko to get confirmation.

but the below comments about changing ciphers in dse.ldif could
help in using the "old" way to set ciphers
Just to be sure, when you are modifying dse.ldif, the
procedure
should be always following:

1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service

Otherwise it won't get applied and will get overwritten
later.

In any case, the ciphers with RHEL-6 should be secure
enough, the ones in
FreeIPA 4.3.1 should be even better. This is for example
an nmap taken on
FreeIPA Demo instance that runs on FreeIPA 4.3.1:

$ nmap --script ssl-enum-ciphers -p 636
ipa.demo1.freeipa.org

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28
12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org
(209.132.178.99)
Host is up (0.18s latency).
PORT    STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
- A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) -
A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
- A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) -
A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 21.12
seconds

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2016-04-29 15:30:17 UTC

Post by Sean Hogan
Hi Noriko,
Thanks for the suggestions,
I had to trim out the GCM ciphers in order to get IPA to start back up
or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.

Try this string:

-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha

I have an oldish install but I think it will still do what you need:
389-ds-base-1.2.11.15-68.el6_7.x86_64

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
|_ least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

$ sslscan pacer.example.com:636 |grep Accept
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 112 bits DES-CBC3-SHA
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
Accepted TLS12 112 bits DES-CBC3-SHA

rob

Post by Sean Hogan
Nmap is still showing the same 13 ciphers as before though like nothing
had changed and I did ipactl stop, made modification, ipactl start
tarting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-28
18:44 EDT
Nmap scan report for
Host is up (0.000053s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_
rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha
,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1
nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Does nss.conf have anything to do with the dir srv ciphers? I know the
389 docs says they are tied together so the way I have been looking at
it is nss.conf lists the allowed ciphers where dse.ldif lists which ones
to use for 389 from nss.conf. Is that correct? Is there any other place
where ciphers would be ignored?
nss-3.19.1-8.el6_7.x86_64
sssd-ipa-1.12.4-47.el6_7.4.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-47.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
I need to get rid of any rc4s
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank
you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi
---04/28/2016 12:08:59 PM---Thank you for including me in the loop,
Date: 04/28/2016 12:08 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
------------------------------------------------------------------------
Thank you for including me in the loop, Ludwig.

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

option for handling in 389-ds > 1.3.3, so it would not be in RHEL6,
adding Noriko to get confirmation.
Ludwig is right. The way how to set nsSSL3Ciphers has been changed
since 1.3.3 which is available on RHEL-7.
Notes: if the value contains +all, then *-<cipher>*is removed
from the list._
__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_
On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if
"+all" is found in the value, all the available ciphers are enabled.
To workaround it, could you try explicitely setting ciphers as follows?
-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha
Thanks,
--noriko
wanted to add Noriko, but hit send to quickly
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by
default.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha
# Cryptographic protocols that provide
communication security.
# NSS handles the specified protocols as
"ranges", and automatically
# negotiates the use of the strongest
protocol for a connection starting
# with the maximum specified protocol
and downgrading as necessary to the
# minimum specified protocol that can be
used between two processes.
# Since all protocol ranges are
completely inclusive, and no protocol in
the
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
dse.ldif
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I
thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but
still showing. Is it the fact that I am not
offering
-tls_rsa_export1024_with_rc4_56_sha? If
so.. not really understanding
where it is coming from cept the +all
from DS but the - should be negating that?
Starting Nmap 5.51 ( _http://nmap.org_
<http://nmap.org/>_<http://nmap.org/>_
<http://nmap.org/>) at 2016-04-27 17:37 EDT
Nmap scan report for
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up)
scanned in 0.32 seconds
It seems no matter what config I put
into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed
to be a be a section to add TLS ciphers
instead of SSL Not sure now, CCing Ludwig who was involved in
the original RHEL-6
implementation. If I remember correctly we did the change in default
ciphers and the option for handling in 389-ds > 1.3.3,
so it would not be in RHEL6, adding Noriko to get
confirmation.
but the below comments about changing ciphers in
dse.ldif could help in using the "old" way to set ciphers
Just to be sure, when you are modifying
dse.ldif, the procedure
1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service
Otherwise it won't get applied and will get
overwritten later.
In any case, the ciphers with RHEL-6 should be
secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for
example an nmap taken on
$ nmap --script ssl-enum-ciphers -p 636
ipa.demo1.freeipa.org
Starting Nmap 7.12 ( _https://nmap.org_
<https://nmap.org/>) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org
(209.132.178.99)
Host is up (0.18s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh
2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa
2048) - A
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in
21.12 seconds
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-29 15:56:57 UTC

Hi Rob,

I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers. You know.. thinking about
this now.. I going to try something. The box I am testing on it a replica
master and not the first replica. I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.000082s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397

From: Rob Crittenden <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, Noriko Hosoi <***@redhat.com>
Cc: freeipa-***@redhat.com
Date: 04/29/2016 08:30 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hi Noriko,
Thanks for the suggestions,
I had to trim out the GCM ciphers in order to get IPA to start back up
or I would get the unknown cipher message

rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha

Post by Sean Hogan
,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_
aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1
nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite

-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

Post by Sean Hogan
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Does nss.conf have anything to do with the dir srv ciphers? I know the
389 docs says they are tied together so the way I have been looking at
it is nss.conf lists the allowed ciphers where dse.ldif lists which ones
to use for 389 from nss.conf. Is that correct? Is there any other place
where ciphers would be ignored?
nss-3.19.1-8.el6_7.x86_64
sssd-ipa-1.12.4-47.el6_7.4.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
ipa-server-selinux-3.0.0-47.el6_7.1.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-47.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
I need to get rid of any rc4s
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank
you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi
---04/28/2016 12:08:59 PM---Thank you for including me in the loop,
Date: 04/28/2016 12:08 PM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
------------------------------------------------------------------------
Thank you for including me in the loop, Ludwig.

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_

Post by Sean Hogan
On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if
"+all" is found in the value, all the available ciphers are enabled.
To workaround it, could you try explicitely setting ciphers as follows?

-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

Post by Sean Hogan
Thanks,
--noriko
wanted to add Noriko, but hit send to quickly
Hi Martin,
No joy on placing - in front of the RC4s
I modified my nss.conf to now read
# SSL 3 ciphers. SSL 2 is disabled by
default.
NSSCipherSuite

+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

Post by Sean Hogan
_56_sha,-tls_dhe_dss_1024_rc4_sha
numSubordinates: 1
But I still get this with nmap.. I
thought the above would remove
-tls_rsa_export1024_with_rc4_56_sha but
still showing. Is it the fact that I am not
offering
-tls_rsa_export1024_with_rc4_56_sha? If
so.. not really understanding
where it is coming from cept the +all
from DS but the - should be negating that?
Starting Nmap 5.51 ( _http://nmap.org_
<http://nmap.org/>_<http://nmap.org/>_
<http://nmap.org/>) at 2016-04-27 17:37 EDT
Nmap scan report for
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up)
scanned in 0.32 seconds
It seems no matter what config I put
into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed
to be a be a section to add TLS ciphers
instead of SSL Not sure now, CCing Ludwig who was involved in
the original RHEL-6
implementation. If I remember correctly we did the change in default
ciphers and the option for handling in 389-ds > 1.3.3,
so it would not be in RHEL6, adding Noriko to get
confirmation.
but the below comments about changing ciphers in
dse.ldif could help in using the "old" way to set ciphers
Just to be sure, when you are modifying
dse.ldif, the procedure
1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service
Otherwise it won't get applied and will get
overwritten later.
In any case, the ciphers with RHEL-6 should be
secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for
example an nmap taken on
$ nmap --script ssl-enum-ciphers -p 636
ipa.demo1.freeipa.org
Starting Nmap 7.12 ( _https://nmap.org_
<https://nmap.org/>) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org
(209.132.178.99)
Host is up (0.18s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh
2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa
2048) - A
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in
21.12 seconds
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Robert Story

2016-04-30 19:50:12 UTC

On Fri, 29 Apr 2016 08:56:57 -0700 Sean wrote:
SH> Hi Rob,
SH>
SH> I stopped IPA, modified dse.ldif, restarted with the cipher list and it
SH> started without issue

Just thought I'd point out the other recent thread, "freeipa update changed
my cipher set", which mentions that dse.ldif can get reset on upgrades,
along with a way to make persistent overrides.

Robert

--
Senior Software Engineer @ Parsons

Sean Hogan

2016-04-29 20:32:14 UTC

Apparently making it the master ca will not work at this point since the
replica is removed. So still stuck with non-changing ciphers.

Sean Hogan

From: Sean Hogan/Durham/IBM
To: Rob Crittenden <***@redhat.com>
Cc: freeipa-***@redhat.com, Noriko Hosoi <***@redhat.com>
Date: 04/29/2016 08:56 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Hi Rob,

I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers. You know.. thinking about
this now.. I going to try something. The box I am testing on it a replica
master and not the first replica. I did not think this would make a
difference since I removed the replica from the realm before testing but
maybe it will not change anything thinking its stuck in the old realm?

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT
Nmap scan report for
Host is up (0.000082s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
nsSSL3Ciphers:
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5

,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_

sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1

Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: ***@us.ibm.com | Tel 919 486 1397

From: Rob Crittenden <***@redhat.com>
To: Sean Hogan/Durham/***@IBMUS, Noriko Hosoi <***@redhat.com>
Cc: freeipa-***@redhat.com
Date: 04/29/2016 08:30 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL

Post by Sean Hogan
Hi Noriko,
Thanks for the suggestions,
I had to trim out the GCM ciphers in order to get IPA to start back up
or I would get the unknown cipher message

rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_

-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

Rob Crittenden

2016-04-29 20:35:53 UTC

Post by Sean Hogan
Apparently making it the master ca will not work at this point since the
replica is removed. So still stuck with non-changing ciphers.

Other services running on the box have zero impact on the ciphers available.

I'm not sure what is wrong because it took me just a minute to stop
dirsrv, modify dse.ldif with the list I provided, restart it and confirm
that the cipher list was better.

Entries in cn=config are not replicated.

rob

Post by Sean Hogan
Sean Hogan
Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob,
I stopped IPA, modified dse.ldif, restarted with the Sean
Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified
dse.ldif, restarted with the cipher list and it started without is
From: Sean Hogan/Durham/IBM
Date: 04/29/2016 08:56 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
------------------------------------------------------------------------
Hi Rob,
I stopped IPA, modified dse.ldif, restarted with the cipher list and it
started without issue however Same 13 ciphers. You know.. thinking about
this now.. I going to try something. The box I am testing on it a
replica master and not the first replica. I did not think this would
make a difference since I removed the replica from the realm before
testing but maybe it will not change anything thinking its stuck in the
old realm?
Starting Nmap 5.51 ( http://nmap.org <http://nmap.org/> ) at 2016-04-29
11:51 EDT
Nmap scan report for
Host is up (0.000082s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
createTimestamp: 20150420131850Z
modifyTimestamp: 20150420131906Z
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5
,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_
sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r
c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29
AM---Sean Hogan wrote: > Hi Noriko,
Date: 04/29/2016 08:30 AM
Subject: Re: [Freeipa-users] IPA vulnerability management SSL
------------------------------------------------------------------------

Post by Sean Hogan
Hi Noriko,
Thanks for the suggestions,
I had to trim out the GCM ciphers in order to get IPA to start back up
or I would get the unknown cipher message

The trick is getting the cipher name right (it doesn't always follow a
pattern) and explicitly disabling some ciphers as they are enabled by
default.
-rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha
389-ds-base-1.2.11.15-68.el6_7.x86_64
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT
Nmap scan report for pacer.example.com (192.168.126.2)
Host is up (0.00053s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| NULL
| cipher preference: server
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
$ sslscan pacer.example.com:636 |grep Accept
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS11 112 bits DES-CBC3-SHA
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
Accepted TLS12 112 bits DES-CBC3-SHA
rob

rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha
,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_

Post by Sean Hogan
aes_256_sha,+rsa_aes_256_sha
numSubordinates: 1
nss.conf
# SSL 3 ciphers. SSL 2 is disabled by default.
NSSCipherSuite

Post by Ludwig Krispenz
If I remember correctly we did the change in default ciphers and the

__http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_

-rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,
+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,
+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha

+all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4

am not

Post by Sean Hogan
offering
-tls_rsa_export1024_with_rc4_56_sha? If
so.. not really understanding
where it is coming from cept the +all
from DS but the - should be negating

that?

Post by Sean Hogan
Starting Nmap 5.51 ( _http://nmap.org_
<http://nmap.org/>_<http://nmap.org/>_
<http://nmap.org/>) at 2016-04-27

17:37 EDT

Post by Sean Hogan
Nmap scan report for
Host is up (0.000086s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLSv1.2
| Ciphers (13)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| SSL_RSA_FIPS_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| TLS_RSA_WITH_DES_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up)
scanned in 0.32 seconds
It seems no matter what config I put
into nss.conf or dse.ldif nothing changes
with my nmap results. Is there supposed
to be a be a section to add TLS ciphers
instead of SSL Not sure now, CCing

Ludwig who was involved in

Post by Sean Hogan
the original RHEL-6
implementation. If I remember correctly we

did the change in default

Post by Sean Hogan
ciphers and the option for handling in 389-ds > 1.3.3,
so it would not be in RHEL6, adding Noriko to get
confirmation.
but the below comments about changing ciphers in
dse.ldif could help in using the "old" way to set ciphers
Just to be sure, when you are modifying
dse.ldif, the procedure
1) Stop Directory Server service
2) Modify dse.ldif
3) Start Directory Server service
Otherwise it won't get applied and will get
overwritten later.
In any case, the ciphers with RHEL-6 should be
secure enough, the ones in
FreeIPA 4.3.1 should be even better. This is for
example an nmap taken on
$ nmap --script ssl-enum-ciphers -p 636
ipa.demo1.freeipa.org
Starting Nmap 7.12 ( _https://nmap.org_
<https://nmap.org/>) at 2016-04-28 12:02 CEST
Nmap scan report for ipa.demo1.freeipa.org
(209.132.178.99)
Host is up (0.18s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh
2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh
2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa

2048) - A

Post by Sean Hogan
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa
2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa

2048) - A

Post by Sean Hogan
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa
2048) - A
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in
21.12 seconds
Martin
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Sean Hogan

2016-04-29 20:49:12 UTC