On 6/16/20 6:07 PM, Chris Herdt via FreeIPA-users wrote:
On Tue, Jun 16, 2020 at 12:58 PM Chris Herdt <cherdt(a)umn.edu
<mailto:cherdt@umn.edu>> wrote:
I have an appliance that I want to use with our FreeIPA-provided
LDAP servers. The appliance only supports the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
I tried changing the following in dse.ldif, based on
http://www.port389.org/docs/389ds/design/nss-cipher-design.html:
|
|
|nsSSL3Ciphers: +all|
|This should allow all the ciphers that the NSS supports.||Keep in mind
you do need to restart the server after changing |||nsSSL3Ciphers.
||
|Run this ldapsearch:|
|# ldapsearch -D "cn=directory manager" -W -xLLL -b
cn=encryption,cn=config nsSSLEnabledCiphers nsSSLSupportedCiphers|
|This will show what is available to the server, and what is enabled.
|Do you see your ciphers in the available list and/or enabled list?||
||||So can try to do:||||
|||||
|||||
||||| nsSSL3Ciphers:
+all,+||||||||||TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+||||||||||TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+||||||||||TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+||||||||||TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA|||||
|||||Restart the server, check that ldapsearch command to see if these
ciphers are now enabled.|||||
|||||HTH,|||||
|||||Mark
|||||
|
|
However, this enabled only the following 7 ciphers (based on the
output of nmap --script ssl-enum-ciphers -p 636
freeipa-01.example.com <
http://freeipa-01.example.com>):
|
|
|TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
|
Here's the content of the dn: cn=encryption,cn=config section:
dn: cn=encryption,cn=config
CACertExtractFile:
/etc/dirsrv/slapd-EXAMPLE-COM/CN3dUSERTrust20RSA20Certif
ication20Authority2cO3dThe20USERTRUST20Network2cL3dJersey20City2cST3dNew20Jer
sey2cC3dUS.pem
allowWeakCipher: off
cn: encryption
createTimestamp: 20181108213233Z
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
modifyTimestamp: 20181108213359Z
nsSSL3Ciphers: +all
nsSSLClientAuth: allowed
nsSSLSessionTimeout: 0
objectClass: top
objectClass: nsEncryptionConfig
sslVersionMin: TLS1.2
numSubordinates: 1
Any ideas why this change isn't enabling the additional ciphers?
Thanks!
I should have mentioned, my FreeIPA servers are running ipa-server
4.6.6 on CentOS 7.8.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
389 Directory Server Development Team