1141333 – Update SSL ciphers configured in 389-ds-base

Bug 1141333 - Update SSL ciphers configured in 389-ds-base

Summary: Update SSL ciphers configured in 389-ds-base

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-12 17:52 UTC by Petr Viktorin (pviktori)
Modified:	2014-09-27 09:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:	freeipa-4.0.3-1.fc21
Clone Of:
Environment:
Last Closed:	2014-09-27 09:56:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Viktorin (pviktori) 2014-09-12 17:52:45 UTC

Upstream ticket: https://fedorahosted.org/freeipa/ticket/4395



FreeIPA still configure the same (SSL and other) ciphers as in the beginning. Nessus and similar crypto detection tools mark some of the ciphers as low secure.

Reports on port 389, 636

Reported low secure SSL ciphers (< 56-bit key):

TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export 
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export 

Reported null SSL cyphers:

NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 

Medium strength ciphers (>= 56-bit and < 112-bit key)

TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export 
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export 
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

Reports on port 9443:

Medium strength ciphers (>= 56-bit and < 112-bit key)

SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 

Additionally, there was a report that httpd has Track and Trace methods enabled. This could be disabled with TraceEnable directive.

Comment 1 Petr Viktorin (pviktori) 2014-09-15 07:43:55 UTC

Fixed in upstream 4.0.3

Comment 2 Martin Kosek 2014-09-15 07:51:50 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4395

Comment 3 Fedora Update System 2014-09-15 13:25:54 UTC

python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21

Comment 4 Fedora Update System 2014-09-18 16:12:35 UTC

Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-09-27 09:56:52 UTC

freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.