Bug 1141333

Summary: Update SSL ciphers configured in 389-ds-base
Product: [Fedora] Fedora Reporter: Petr Viktorin (pviktori) <pviktori>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, mkosek, pviktori, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.0.3-1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-27 09:56:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Viktorin (pviktori) 2014-09-12 17:52:45 UTC 
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4395



FreeIPA still configure the same (SSL and other) ciphers as in the beginning. Nessus and similar crypto detection tools mark some of the ciphers as low secure.

Reports on port 389, 636

Reported low secure SSL ciphers (< 56-bit key):

TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export 
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export 

Reported null SSL cyphers:

NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 

Medium strength ciphers (>= 56-bit and < 112-bit key)

TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export 
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export 
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

Reports on port 9443:

Medium strength ciphers (>= 56-bit and < 112-bit key)

SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

Additionally, there was a report that httpd has Track and Trace methods enabled. This could be disabled with TraceEnable directive.
Comment 1 Petr Viktorin (pviktori) 2014-09-15 07:43:55 UTC 
Fixed in upstream 4.0.3
Comment 2 Martin Kosek 2014-09-15 07:51:50 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4395
Comment 3 Fedora Update System 2014-09-15 13:25:54 UTC 
python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21
Comment 4 Fedora Update System 2014-09-18 16:12:35 UTC 
Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-09-27 09:56:52 UTC 
freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.