Description of problem: Installed FreeIPA on CentOS host using YUM. 389-DS was installed as a depedency. Edited /etc/dirsrv/slapd-<REALM>/dse.ldif files to disable Null ciphers, but Nessus scans still indicate Null Cipher on 389 and 636 LDAP ports. Version-Release number of selected component (if applicable): 389-ds-base.i686 1.2.11.15-34.el6_5 How reproducible: Easy. Steps to Reproduce: 1. Install FreeIPA server on a CentOS host - 'yum install ipa-server'. 2. Stop IPA using - /etc/init.d/ipa stop 3. edit nsSSL3Ciphers in the following 2 files - /etc/dirsrv/slapd-PKI-IPA/dse.ldif /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif 4. nsSSL3Ciphers should look like this - nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha 5. Start IPA using - /etc/init.d/ipa start 2. Scan ports on this host using Nessus or other security/port scanner. 3. Scan results show Weak and Null ciphers being used on port 389 and port 636. Actual results: Nessus scan results - TLSv1 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1 Port 389 / tcp / ldap 636 / tcp / ldap Expected results: No Null or Weak Ciphers Additional info: CentOS release 6.5 (Final). Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 UTC 2014 i686 i686 i386 GNU/Linux.
Environment - 1. CentOS release 6.5 (Final). 2. Linux 2.6.32-431.29.2.el6.i686 #1 SMP Tue Sep 9 20:14:52 3. UTC 2014 i686 i686 i386 GNU/Linux. ipa-server-3.0.0-37.el6.i686 Dependencies - [root]# yum deplist ipa-server Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: mirror.ash.fastserv.com * epel: mirror.symnds.com * extras: ftp.linux.ncsu.edu * updates: centos.aol.com Finding dependencies: package: ipa-server.i686 3.0.0-37.el6 dependency: python(abi) = 2.6 provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: acl provider: acl.i686 2.2.49-6.el6 dependency: krb5-server < 1.11 provider: krb5-server.i686 1.10.3-10.el6_4.6 provider: krb5-server.i686 1.10.3-15.el6_5.1 dependency: zip provider: zip.i686 3.0-1.el6 dependency: ipa-server-selinux = 3.0.0-37.el6 provider: ipa-server-selinux.i686 3.0.0-37.el6 dependency: nss-tools provider: nss-tools.i686 3.15.1-15.el6 provider: nss-tools.i686 3.15.3-2.el6_5 provider: nss-tools.i686 3.15.3-3.el6_5 provider: nss-tools.i686 3.15.3-6.el6_5 provider: nss-tools.i686 3.16.1-4.el6_5 provider: nss-tools.i686 3.16.1-7.el6_5 dependency: libcrypto.so.10(libcrypto.so.10) provider: openssl.i686 1.0.1e-15.el6 provider: openssl.i686 1.0.1e-16.el6_5.1 provider: openssl.i686 1.0.1e-16.el6_5.14 provider: openssl.i686 1.0.1e-16.el6_5.15 provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos provider: openssl.i686 1.0.1e-16.el6_5.4 provider: openssl.i686 1.0.1e-16.el6_5.7 provider: openssl.i686 1.0.1e-16.el6_5 dependency: mod_nss >= 1.0.8-18 provider: mod_nss.i686 1.0.8-18.el6 provider: mod_nss.i686 1.0.8-19.el6_5 dependency: libndr-nbt.so.0(NDR_NBT_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: /usr/bin/python provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: ipa-python = 3.0.0-37.el6 provider: ipa-python.i686 3.0.0-37.el6 dependency: libndr.so.0(NDR_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libkrb5.so.3(krb5_3_MIT) provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: libcom_err.so.2 provider: libcom_err.i686 1.41.12-18.el6 provider: libcom_err.i686 1.41.12-18.el6_5.1 dependency: cyrus-sasl-gssapi(x86-32) provider: cyrus-sasl-gssapi.i686 2.1.23-13.el6_3.1 dependency: /bin/sh provider: bash.i686 4.1.2-15.el6_4 provider: bash.i686 4.1.2-15.el6_5.2 provider: bash.i686 4.1.2-15.el6_5.1 dependency: policycoreutils >= 2.0.83-19.24 provider: policycoreutils.i686 2.0.83-19.39.el6 dependency: libtalloc.so.2 provider: libtalloc.i686 2.0.7-2.el6 dependency: libcrypto.so.10 provider: openssl.i686 1.0.1e-15.el6 provider: openssl.i686 1.0.1e-16.el6_5.1 provider: openssl.i686 1.0.1e-16.el6_5.14 provider: openssl.i686 1.0.1e-16.el6_5.15 provider: openssl.i686 1.0.1e-16.el6_5.4.0.1.centos provider: openssl.i686 1.0.1e-16.el6_5.4 provider: openssl.i686 1.0.1e-16.el6_5.7 provider: openssl.i686 1.0.1e-16.el6_5 dependency: libuuid.so.1(UUID_1.0) provider: libuuid.i686 2.17.2-12.14.el6 provider: libuuid.i686 2.17.2-12.14.el6_5 dependency: libkrb5.so.3 provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: initscripts provider: initscripts.i686 9.03.40-2.el6.centos provider: initscripts.i686 9.03.40-2.el6.centos.1 provider: initscripts.i686 9.03.40-2.el6.centos.2 provider: initscripts.i686 9.03.40-2.el6.centos.3 provider: initscripts.i686 9.03.40-2.el6.centos.4 dependency: libk5crypto.so.3(k5crypto_3_MIT) provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: libndr-nbt.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: ipa-admintools = 3.0.0-37.el6 provider: ipa-admintools.i686 3.0.0-37.el6 dependency: slapi-nis >= 0.40 provider: slapi-nis.i686 0.40-4.el6 dependency: 389-ds-base >= 1.2.11.15-14 provider: 389-ds-base.i686 1.2.11.15-29.el6 provider: 389-ds-base.i686 1.2.11.15-30.el6_5 provider: 389-ds-base.i686 1.2.11.15-31.el6_5 provider: 389-ds-base.i686 1.2.11.15-32.el6_5 provider: 389-ds-base.i686 1.2.11.15-33.el6_5 provider: 389-ds-base.i686 1.2.11.15-34.el6_5 dependency: keyutils provider: keyutils.i686 1.4-4.el6 dependency: python-krbV provider: python-krbV.i686 1.0.90-1.el6 provider: python-krbV.i686 1.0.90-3.el6 dependency: python-ldap provider: python-ldap.i686 2.3.10-1.el6 dependency: openssh-clients provider: openssh-clients.i686 5.3p1-94.el6 dependency: selinux-policy-base provider: selinux-policy-minimum.noarch 3.7.19-231.el6 provider: selinux-policy-mls.noarch 3.7.19-231.el6 provider: selinux-policy-targeted.noarch 3.7.19-231.el6 provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-minimum.noarch 3.7.19-231.el6_5.3 provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-mls.noarch 3.7.19-231.el6_5.3 provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.1 provider: selinux-policy-targeted.noarch 3.7.19-231.el6_5.3 dependency: libndr-krb5pac.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: pki-ca >= 9.0.3-30 provider: pki-ca.noarch 9.0.3-32.el6 dependency: nss provider: nss.i686 3.15.1-15.el6 provider: nss.i686 3.15.3-2.el6_5 provider: nss.i686 3.15.3-3.el6_5 provider: nss.i686 3.15.3-6.el6_5 provider: nss.i686 3.16.1-4.el6_5 provider: nss.i686 3.16.1-7.el6_5 dependency: chkconfig provider: chkconfig.i686 1.3.49.3-2.el6_4.1 dependency: krb5-server >= 1.10 provider: krb5-server.i686 1.10.3-10.el6_4.6 provider: krb5-server.i686 1.10.3-15.el6_5.1 dependency: libc.so.6(GLIBC_2.8) provider: glibc.i686 2.12-1.132.el6 provider: glibc.i686 2.12-1.132.el6_5.1 provider: glibc.i686 2.12-1.132.el6_5.2 provider: glibc.i686 2.12-1.132.el6_5.3 provider: glibc.i686 2.12-1.132.el6_5.4 dependency: libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: selinux-policy >= 3.7.19-193 provider: selinux-policy.noarch 3.7.19-231.el6 provider: selinux-policy.noarch 3.7.19-231.el6_5.1 provider: selinux-policy.noarch 3.7.19-231.el6_5.3 dependency: rtld(GNU_HASH) provider: glibc.i686 2.12-1.132.el6 provider: glibc.i686 2.12-1.132.el6_5.1 provider: glibc.i686 2.12-1.132.el6_5.2 provider: glibc.i686 2.12-1.132.el6_5.3 provider: glibc.i686 2.12-1.132.el6_5.4 dependency: liblber-2.4.so.2 provider: openldap.i686 2.4.23-32.el6_4.1 provider: openldap.i686 2.4.23-34.el6_5.1 dependency: ipa-client = 3.0.0-37.el6 provider: ipa-client.i686 3.0.0-37.el6 dependency: ipa-pki-common-theme provider: ipa-pki-common-theme.noarch 9.0.3-7.el6 dependency: pki-setup >= 9.0.3-30 provider: pki-setup.noarch 9.0.3-32.el6 dependency: ipa-pki-ca-theme provider: ipa-pki-ca-theme.noarch 9.0.3-7.el6 dependency: libsamba-util.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: python-memcached >= 1.43-6 provider: python-memcached.noarch 1.43-6.el6 dependency: openldap-clients provider: openldap-clients.i686 2.4.23-32.el6_4.1 provider: openldap-clients.i686 2.4.23-34.el6_5.1 dependency: libndr.so.0 provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libtalloc.so.2(TALLOC_2.0.2) provider: libtalloc.i686 2.0.7-2.el6 dependency: python provider: python.i686 2.6.6-51.el6 provider: python.i686 2.6.6-52.el6 dependency: ntp provider: ntp.i686 4.2.6p5-1.el6.centos dependency: memcached provider: memcached.i686 1.4.4-3.el6 dependency: mod_auth_kerb >= 5.4-8 provider: mod_auth_kerb.i686 5.4-10.el6 dependency: mod_wsgi provider: mod_wsgi.i686 3.2-3.el6 provider: mod_wsgi.i686 3.2-6.el6_5 dependency: pki-silent >= 9.0.3-30 provider: pki-silent.noarch 9.0.3-32.el6 dependency: httpd >= httpd-2.2.15-24 provider: httpd.i686 2.2.15-29.el6.centos provider: httpd.i686 2.2.15-30.el6.centos provider: httpd.i686 2.2.15-31.el6.centos dependency: libtevent.so.0 provider: libtevent.i686 0.9.18-3.el6 dependency: libuuid.so.1 provider: libuuid.i686 2.17.2-12.14.el6 provider: libuuid.i686 2.17.2-12.14.el6_5 dependency: libsamba-util.so.0(SAMBA_UTIL_0.0.1) provider: samba4-libs.i686 4.0.0-58.el6.rc4 provider: samba4-libs.i686 4.0.0-60.el6_5.rc4 provider: samba4-libs.i686 4.0.0-61.el6_5.rc4 provider: samba4-libs.i686 4.0.0-63.el6_5.rc4 dependency: libldap_r-2.4.so.2 provider: openldap.i686 2.4.23-32.el6_4.1 provider: openldap.i686 2.4.23-34.el6_5.1 dependency: python-pyasn1 >= 0.0.9a provider: python-pyasn1.noarch 0.0.12a-1.el6 dependency: libk5crypto.so.3 provider: krb5-libs.i686 1.10.3-10.el6_4.6 provider: krb5-libs.i686 1.10.3-15.el6_5.1 dependency: certmonger >= 0.61-3 provider: certmonger.i686 0.61-3.el6 [root]#
With the fixes for DS 47928 DS 47945 DS 47880, configured the server as follows: dn: cn=encryption,cn=config nsSSL3: off nsTLS1: on nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs a_export1024_with_des_cbc_sha The server reports the following ciphers are enabled, which does not include null cipher. nssslenabledciphers: rc4::RC4::MD5::128 nssslenabledciphers: rc4export::RC4::MD5::128 nssslenabledciphers: rc2::RC2::MD5::128 nssslenabledciphers: rc2export::RC2::MD5::128 nssslenabledciphers: des::DES::MD5::64 nssslenabledciphers: desede3::3DES::MD5::192 nssslenabledciphers: rsa_rc4_128_md5::RC4::MD5::128 nssslenabledciphers: rsa_rc4_128_sha::RC4::SHA1::128 nssslenabledciphers: rsa_3des_sha::3DES::SHA1::192 nssslenabledciphers: rsa_des_sha::DES::SHA1::64 nssslenabledciphers: rsa_fips_3des_sha::3DES::SHA1::192 nssslenabledciphers: fips_3des_sha::3DES::SHA1::192 nssslenabledciphers: rsa_fips_des_sha::DES::SHA1::64 nssslenabledciphers: fips_des_sha::DES::SHA1::64 nssslenabledciphers: rsa_rc4_40_md5::RC4::MD5::128 nssslenabledciphers: rsa_rc2_40_md5::RC2::MD5::128 nssslenabledciphers: tls_rsa_export1024_with_rc4_56_sha::RC4::SHA1::128 nssslenabledciphers: rsa_rc4_56_sha::RC4::SHA1::128 nssslenabledciphers: tls_rsa_export1024_with_des_cbc_sha::DES::SHA1::64 nssslenabledciphers: rsa_des_56_sha::DES::SHA1::64 nssslenabledciphers: dhe_dss_des_sha::DES::SHA1::64 nssslenabledciphers: dhe_dss_3des_sha::3DES::SHA1::192 nssslenabledciphers: dhe_rsa_des_sha::DES::SHA1::64 nssslenabledciphers: dhe_rsa_3des_sha::3DES::SHA1::192 nssslenabledciphers: tls_rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_dhe_dss_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_dhe_rsa_aes_128_sha::AES::SHA1::128 nssslenabledciphers: tls_rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_dss_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_rsa_aes_256_sha::AES::SHA1::256 nssslenabledciphers: tls_dhe_dss_1024_rc4_sha::RC4::SHA1::128 nssslenabledciphers: tls_dhe_dss_rc4_128_sha::RC4::SHA1::128
Configured SSL and added the following nsSSL3ciphers. Enabled ciphers doesn't show any null ciphers. Hence, marking the bug as Verified. Build tested: [root@cloud-qe-15 ~]# rpm -qa |grep -i 389-ds-base 389-ds-base-libs-1.2.11.15-53.el6.x86_64 389-ds-base-1.2.11.15-53.el6.x86_64 [root@cloud-qe-15 ~]# cat /tmp/nullCipher.ldif dn: cn=encryption,cn=config replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha [root@cloud-qe-15 ~]# ldapmodify -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -f /tmp/nullCipher.ldif modifying entry "cn=encryption,cn=config" [root@cloud-qe-15 ~]# ldapsearch -LLL -x -p 1189 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=config" |grep -i nssslenabledciphers |grep -i null
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1326.html