Re: [Pki-users] Disable the cipher RC4 for the web interface

On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: > Le 03/04/2014 17:14, Christina Fu a écrit : >> Did you try turning on the strictCiphers and FIPS mode? >> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... >> >> >> Search for the word "strictCiphers" and follow the instruction >> there. For nss softtoken you just need to do steps 14, 15, and 16. >> Stop server before you begin and start after you are done. >> >> hope this helps, >> Christina >> >> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>> Hi, >>> >>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >>> CentOS 6.5 machine. I am scanning my internal networks in order to >>> find vulnerabilities, and trying to fix anything I find. I have >>> found that the HTTPS pki-ca administration interfaces listening on >>> ports 9444 and 9445 were accepting what might be considered as weak >>> ciphers (RC4) for data encryption. >>> >>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>> restarded the daemon, but this had no effects whatsoever on the >>> ciphers availables on these SSL ports. I searched a bit around >>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >>> my changes in order to disable RC4 ciphers for those administration >>> interfaces. >>> >>> I also searched on the Internet & asked on the IRC channel about >>> this issue, with no succes, so here I am. Has anyone already found >>> a way to do this ? >>> >>> Regards, >>> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > Hi Christina, > > I just did the things listed in the documentation you gave me0, the > only effect it had were that SSLv3 related ciphers were disabled. I > still have the TLSv1 ciphers using RC4 available obviously > Is it possible in the file /etc/pki-ca/server.xml there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for ssl3Ciphers tls3Ciphers ? Thanks, M.

_______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users