We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad)
ipa-server-3.0.0 tomcat6-6.0.24
I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week.
<Connector name="Agent" port="9443" protocol="HTTP/1.1" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" />
On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad)
ipa-server-3.0.0 tomcat6-6.0.24
I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week.
<Connector name="Agent" port="9443" protocol="HTTP/1.1" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
I believe the correct parameter name is sslProtocols="...", not sslEnabledProtocols, in this version of tomcat. flo
scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" />
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad)
ipa-server-3.0.0 tomcat6-6.0.24
I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week.
<Connector name="Agent" port="9443" protocol="HTTP/1.1"
SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
I believe the correct parameter name is sslProtocols="...", not sslEnabledProtocols, in this version of tomcat. flo
If we take a look at the latest (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it says sslEnabledProtocols is an alias to the protocols entry in SSLHostConfig (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLH...), which specifically lists
SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 all
as valid entries. I will agree that the explanation of sslProtocol is kinda confusing because it kinda implies it is "the protocol(s) to use," with TLS as the default. Maybe the subtle difference is that sslEnabledProtocols is the list of "protocols to support when *communicating with clients*" the latter part is what differentiates it. In any case, in my ancient notes I seem to explicitly define both (was the order in sslEnabledProtocols important?):
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/usr/share/tomcat/keystore" keystorePass="password1" keyAlias="tomcat" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" />
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote:
On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad)
ipa-server-3.0.0 tomcat6-6.0.24
I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week.
<Connector name="Agent" port="9443" protocol="HTTP/1.1"
SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
I believe the correct parameter name is sslProtocols="...", not sslEnabledProtocols, in this version of tomcat. flo
If we take a look at the latest
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it says sslEnabledProtocols is an alias to the protocols entry in SSLHostConfig (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLH...),
Hi, Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24. https://access.redhat.com/solutions/1232233 mentions that for this version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be used. For Tomcat 6 (6.0.38 and later) and 7, sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used.
flo
which specifically lists
SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 all
as valid entries. I will agree that the explanation of sslProtocol is kinda confusing because it kinda implies it is "the protocol(s) to use," with TLS as the default. Maybe the subtle difference is that sslEnabledProtocols is the list of "protocols to support when *communicating with clients*" the latter part is what differentiates it. In any case, in my ancient notes I seem to explicitly define both (was the order in sslEnabledProtocols important?):
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/usr/share/tomcat/keystore" keystorePass="password1" keyAlias="tomcat" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" />
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I've tried both parameters
.. sslProtocols = "TLSv1.2,TLSv1.1,TLSv1" .. sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
and I receive the same results. I'm able to connect with openssl s_client connect ipa001.local:9443 -ssl3. I've even specifically disabled the cipher that is negotiated in the connection, but it doesn't appear that what I'm trying works.
ssl3Ciphers="-DHE-RSA-AES256-SHA"
# openssl s_client -connect en3021s.dev.ca1.sfmc.co:9443 -ssl3 ... Server Temp Key: DH, 2048 bits --- SSL handshake has read 2763 bytes and written 349 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA ...
I've even tried setting JAVA_HOME in /etc/pki-cad/tomcat6.conf to my openjdk7 install, thinking that maybe it was a java thing, but the same issue arises. I'm out of ideas, other than to try to upgrade to a newer version of freeipa server, and subsequently tomcat, which is a task I'm not looking forward to.
Terry
On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote:
On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote:
We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad)
ipa-server-3.0.0 tomcat6-6.0.24
I've been modifying /etc/pki-ca/server.xml with little success. What am I missing? I've been banging my head on this for the past week.
<Connector name="Agent" port="9443" protocol="HTTP/1.1"
SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
I believe the correct parameter name is sslProtocols="...", not sslEnabledProtocols, in this version of tomcat. flo
If we take a look at the latest
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it says sslEnabledProtocols is an alias to the protocols entry in SSLHostConfig (
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLH... ), Hi, Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24. https://access.redhat.com/solutions/1232233 mentions that for this version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be used. For Tomcat 6 (6.0.38 and later) and 7, sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used.
flo
which specifically lists
SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 all
as valid entries. I will agree that the explanation of sslProtocol is kinda confusing because it kinda implies it is "the protocol(s) to use," with TLS as the default. Maybe the subtle difference is that sslEnabledProtocols is the list of "protocols to support when *communicating with clients*" the latter part is what differentiates it. In any case, in my ancient notes I seem to explicitly define both (was the order in sslEnabledProtocols important?):
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/usr/share/tomcat/keystore" keystorePass="password1" keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
/>
scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://ipa001.local:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert
cert-pki-ca"
ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" clientAuth="true" sslOptions="ssl2=false,ssl3=false,tls=true"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA"
sslVersionRangeStream="tls1_1:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki-ca/alias" />
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 1/14/20 12:54 PM, Terry Soucy via FreeIPA-users wrote:
I've tried both parameters
.. sslProtocols = "TLSv1.2,TLSv1.1,TLSv1" .. sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
and I receive the same results. I'm able to connect with openssl s_client connect ipa001.local:9443 -ssl3. I've even specifically disabled the cipher that is negotiated in the connection, but it doesn't appear that what I'm trying works.
In my conf I also have strictCiphers="true" and it seems to make a difference. See https://www.dogtagpki.org/wiki/Tomcat_JSS_7.3_Configuration which says: -----8<----- strictCiphers: This parameter determines whether to disable the NSS default ciphers. If it's set to true, the NSS default ciphers will be disabled, and only the ciphers specified in sslRangeCiphers will be enabled. If it's set to false, the NSS default ciphers will remain enabled in addition to the ciphers specified in sslRangeCiphers. By default it's false. ----->8-----
Don't forget to restart pki after you edit server.xml flo
ssl3Ciphers="-DHE-RSA-AES256-SHA"
# openssl s_client -connect en3021s.dev.ca1.sfmc.co:9443 http://en3021s.dev.ca1.sfmc.co:9443 -ssl3 ... Server Temp Key: DH, 2048 bits
SSL handshake has read 2763 bytes and written 349 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA ...
I've even tried setting JAVA_HOME in /etc/pki-cad/tomcat6.conf to my openjdk7 install, thinking that maybe it was a java thing, but the same issue arises. I'm out of ideas, other than to try to upgrade to a newer version of freeipa server, and subsequently tomcat, which is a task I'm not looking forward to.
Terry
On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote: > On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via > FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote: >>> We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS >>> repository). I am having trouble disabling SSL3 and RC4 ciphers on port >>> 9443 (pki-cad) >>> >>> ipa-server-3.0.0 >>> tomcat6-6.0.24 >>> >>> I've been modifying /etc/pki-ca/server.xml with little success. What am >>> I missing? I've been banging my head on this for the past week. >>> >>> <Connector name="Agent" port="9443" protocol="HTTP/1.1" >>> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >> >> I believe the correct parameter name is sslProtocols="...", not >> sslEnabledProtocols, in this version of tomcat. >> flo >> > > If we take a look at the latest > (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) docs, it > says sslEnabledProtocols is an alias to the protocols entry in > SSLHostConfig (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig), Hi, Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24. https://access.redhat.com/solutions/1232233 mentions that for this version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be used. For Tomcat 6 (6.0.38 and later) and 7, sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used. flo > which specifically lists > > SSLv2Hello > SSLv3 > TLSv1 > TLSv1.1 > TLSv1.2 > TLSv1.3 > all > > as valid entries. I will agree that the explanation of sslProtocol is > kinda confusing because it kinda implies it is "the protocol(s) to > use," with TLS as the default. Maybe the subtle difference is that > sslEnabledProtocols is the list of "protocols to support when > *communicating with clients*" the latter part is what differentiates > it. In any case, in my ancient notes I seem to explicitly define both > (was the order in sslEnabledProtocols important?): > > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="/usr/share/tomcat/keystore" > keystorePass="password1" keyAlias="tomcat" > clientAuth="false" > sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > /> > > >>> scheme="https" secure="true" >>> maxHttpHeaderSize="8192" >>> acceptCount="100" maxThreads="150" minSpareThreads="25" >>> maxSpareThreads="75" >>> enableLookups="false" disableUploadTimeout="true" >>> >>> SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" >>> enableOCSP="false" >>> ocspResponderURL="http://ipa001.local:9080/ca/ocsp" >>> ocspResponderCertNickname="ocspSigningCert cert-pki-ca" >>> ocspCacheSize="1000" >>> ocspMinCacheEntryDuration="60" >>> ocspMaxCacheEntryDuration="120" >>> ocspTimeout="10" >>> clientAuth="true" >>> sslOptions="ssl2=false,ssl3=false,tls=true" >>> >>> tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA" >>> sslVersionRangeStream="tls1_1:tls1_2" >>> sslVersionRangeDatagram="tls1_1:tls1_2" >>> >>> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" >>> >>> >>> serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" >>> passwordFile="/var/lib/pki-ca/conf/password.conf" >>> >>> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" >>> certdbDir="/var/lib/pki-ca/alias" >>> /> >>> >>> -- >>> Terry Soucy >>> Systems Engineering Lead | Salesforce >>> Mobile: +1.506.609.3247 >>> >>> >>> <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I was only able to read the Subject line and nothing further so take with grain of salt
Here is the procedure I made a while ago for differ finding but the only change in it would be the ciphers I imagine. The following files control the ciphers in use
DirSrv /etc/dirsrv/slapd-REALM-LOCAL/dse.ldif
PKISrv /etc/dirsrv/slapd-PKI-IPA/dse.ldif
42873 SSL Medium Strength Cipher Suites Supported Port 389/636
Mitigation:
1. Log onto IPA server. Using nmap command below to see the list of ciphers being used. Bold print shows the medium ciphers that need to be removed.
2. [bobsyouruncle@IPASERVER ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`
Starting Nmap 5.51 ( http://nmap.org ) at 2017-01-30 16:08 EST
Nmap scan report for (10.x.x.x
Host is up (0.00014s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (17)
| SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_DHE_RSA_WITH_DES_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed
3. Stop the ipa server with Ipactl stop
4. The following files control the ciphers in use
DirSrv /etc/dirsrv/slapd-REALM-LOCAL/dse.ldif
PKISrv /etc/dirsrv/slapd-PKI-IPA/dse.ldif
Make copies of the files before modifying with
cp /etc/dirsrv/slapd-PKI-IPA/dse.ldif /etc/dirsrv/slapd-PKI-IPA/dse.ldif.$ (date '+%F')
cp /etc/dirsrv/slapd-WATSON-LOCAL/dse.ldif /etc/dirsrv/slapd-REALM-LOCAL/dse.ldif $(date '+%F')
5. vim /etc/dirsrv/slapd-REALM-LOCAL/dse.ldif
and ensure it reads the below where you change a few + to – and add , -dhe_rsa_3des_sha. The listings required to be modified are in bold. The correct config is shown below:
nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,
-rsa_des_sha,-rsa_fips_des_sha,-rsa_3des_sha,-rsa_fips_3des_sha ,-fortezza,-fo
rtezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rs
a_export1024_with_des_cbc_sha,-rsa_rc4_128_sha, -dhe_rsa_3des_sha.-dhe_rsa_des_sha
6. vim /etc/dirsrv/slapd-PKI-IPA/dse.ldif
and ensure it reads the below where you change a few + to -. The listings required to change are modified in bold. The correct config is shown.
nsSSL3Ciphers: -rsa_3des_sha,-rsa_fips_3des_sha,-rsa_rc4_128_sha
7. Restart IPA ipactl start and play close attention to the start-up ensuring no errors.
8. Run Nmap again and ensure listing is no longer showing triple des ciphers. nmap --script ssl-enum-ciphers -p 636 `hostname`
Starting Nmap 5.51 ( http://nmap.org ) at 2017-01-30 16:40 EST
Nmap scan report for(10.x.x.x.
Host is up (0.000030s latency).
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (14)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_DHE_RSA_WITH_DES_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed
9. You now have 13 of the original 17 ciphers being used and no more triple DES
10. 389 Dirsrv cipher listings can be found here: http://www.port389.org/docs/389ds/design/nss-cipher-design.html
Sean Hogan
From: Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Terry Soucy tsoucy@salesforce.com, Mauricio Tavares raubvogel@gmail.com, Florence Blanc-Renaud flo@redhat.com Date: 01/14/2020 09:13 AM Subject: [EXTERNAL] [Freeipa-users] Re: Disable SSLv3 and RC4 ciphers on ipa-server 3.0.0
On 1/14/20 12:54 PM, Terry Soucy via FreeIPA-users wrote:
I've tried both parameters
.. sslProtocols = "TLSv1.2,TLSv1.1,TLSv1" .. sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
and I receive the same results. I'm able to connect with openssl s_client connect ipa001.local:9443 -ssl3. I've even specifically disabled the cipher that is negotiated in the connection, but it doesn't appear that what I'm trying works.
In my conf I also have strictCiphers="true" and it seems to make a difference. See https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wiki_... which says: -----8<----- strictCiphers: This parameter determines whether to disable the NSS default ciphers. If it's set to true, the NSS default ciphers will be disabled, and only the ciphers specified in sslRangeCiphers will be enabled. If it's set to false, the NSS default ciphers will remain enabled in addition to the ciphers specified in sslRangeCiphers. By default it's false. ----->8-----
Don't forget to restart pki after you edit server.xml flo
ssl3Ciphers="-DHE-RSA-AES256-SHA"
# openssl s_client -connect en3021s.dev.ca1.sfmc.co:9443 <
https://urldefense.proofpoint.com/v2/url?u=http-3A__en3021s.dev.ca1.sfmc.co-...
-ssl3 ... Server Temp Key: DH, 2048 bits
SSL handshake has read 2763 bytes and written 349 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA ...
I've even tried setting JAVA_HOME in /etc/pki-cad/tomcat6.conf to my openjdk7 install, thinking that maybe it was a java thing, but the same issue arises. I'm out of ideas, other than to try to upgrade to a newer version of freeipa server, and subsequently tomcat, which is a task I'm not looking forward to.
Terry
On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote: > On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via > FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote: >>> We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS >>> repository). I am having trouble disabling SSL3 and RC4 ciphers on port >>> 9443 (pki-cad) >>> >>> ipa-server-3.0.0 >>> tomcat6-6.0.24 >>> >>> I've been modifying /etc/pki-ca/server.xml with little success. What am >>> I missing? I've been banging my head on this for the past week. >>> >>> <Connector name="Agent" port="9443" protocol="HTTP/1.1" >>> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >> >> I believe the correct parameter name is sslProtocols="...", not >> sslEnabledProtocols, in this version of tomcat. >> flo >> > > If we take a look at the latest > (
https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomca... ) docs, it
> says sslEnabledProtocols is an alias to the protocols entry in > SSLHostConfig (
https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomca... ),
Hi, Terry stated that he is using ipa-server-3.0.0 with tomcat6-6.0.24.
https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_solut... mentions that for this
version the value sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" should be used. For Tomcat 6 (6.0.38 and later) and 7, sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" can be used. flo > which specifically lists > > SSLv2Hello > SSLv3 > TLSv1 > TLSv1.1 > TLSv1.2 > TLSv1.3 > all > > as valid entries. I will agree that the explanation of sslProtocol
is
> kinda confusing because it kinda implies it is "the protocol(s) to > use," with TLS as the default. Maybe the subtle difference is that > sslEnabledProtocols is the list of "protocols to support when > *communicating with clients*" the latter part is what
differentiates
> it. In any case, in my ancient notes I seem to explicitly define
both
> (was the order in sslEnabledProtocols important?): > > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="/usr/share/tomcat/keystore" > keystorePass="password1" keyAlias="tomcat" > clientAuth="false" > sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > /> > > >>> scheme="https" secure="true" >>> maxHttpHeaderSize="8192" >>> acceptCount="100" maxThreads="150" minSpareThreads="25" >>> maxSpareThreads="75" >>> enableLookups="false"
disableUploadTimeout="true"
>>> >>> SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" >>> enableOCSP="false" >>> ocspResponderURL="
https://urldefense.proofpoint.com/v2/url?u=http-3A__ipa001.local-3A9080_ca_o... "
>>> ocspResponderCertNickname="ocspSigningCert cert-pki-ca" >>> ocspCacheSize="1000" >>> ocspMinCacheEntryDuration="60" >>> ocspMaxCacheEntryDuration="120" >>> ocspTimeout="10" >>> clientAuth="true" >>> sslOptions="ssl2=false,ssl3=false,tls=true" >>> >>>
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-EDH-RSA-DES-CBC3-SHA,-DES-CBC3-SHA"
>>> sslVersionRangeStream="tls1_1:tls1_2" >>> sslVersionRangeDatagram="tls1_1:tls1_2" >>> >>>
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
>>> >>> >>> serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf" >>>
passwordFile="/var/lib/pki-ca/conf/password.conf"
>>> >>>
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
>>> certdbDir="/var/lib/pki-ca/alias" >>> /> >>> >>> -- >>> Terry Soucy >>> Systems Engineering Lead | Salesforce >>> Mobile: +1.506.609.3247 >>> >>> >>> <http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >>> Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
>>> List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
>>> List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
>>> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >> Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
>> List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
>> List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
> _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
> List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
> List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
-- Terry Soucy Systems Engineering Lead | Salesforce Mobile: +1.506.609.3247
http://smart.salesforce.com/sig/tsoucy//ca_mb/default/link.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_...
List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_...
List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
freeipa-users@lists.fedorahosted.org