I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It
appears that it's missing the strictCiphers implementation.
I will file a RHEL 6.5 bug for it and hopefully get it fixed.
Christina
On 04/03/2014 02:03 PM, Christina Fu wrote:
On 04/03/2014 01:12 PM, Marc Sauton wrote:
> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote:
>> Le 03/04/2014 17:14, Christina Fu a écrit :
>>> Did you try turning on the strictCiphers and FIPS mode?
>>>
>>>
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
>>>
>>>
>>> Search for the word "strictCiphers" and follow the instruction
>>> there. For nss softtoken you just need to do steps 14, 15, and 16.
>>> Stop server before you begin and start after you are done.
>>>
>>> hope this helps,
>>> Christina
>>>
>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote:
>>>> Hi,
>>>>
>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a
>>>> CentOS 6.5 machine. I am scanning my internal networks in order to
>>>> find vulnerabilities, and trying to fix anything I find. I have
>>>> found that the HTTPS pki-ca administration interfaces listening on
>>>> ports 9444 and 9445 were accepting what might be considered as
>>>> weak ciphers (RC4) for data encryption.
>>>>
>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then
>>>> restarded the daemon, but this had no effects whatsoever on the
>>>> ciphers availables on these SSL ports. I searched a bit around
>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make
>>>> my changes in order to disable RC4 ciphers for those
>>>> administration interfaces.
>>>>
>>>> I also searched on the Internet & asked on the IRC channel about
>>>> this issue, with no succes, so here I am. Has anyone already found
>>>> a way to do this ?
>>>>
>>>> Regards,
>>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>> Hi Christina,
>>
>> I just did the things listed in the documentation you gave me0, the
>> only effect it had were that SSLv3 related ciphers were disabled. I
>> still have the TLSv1 ciphers using RC4 available obviously
>>
> Is it possible in the file /etc/pki-ca/server.xml
> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for
> ssl3Ciphers
> tls3Ciphers
> ?
> Thanks,
> M.
>
yes, that's exactly that. Just remove the ones from tls3Ciphers. What
the "strictCiphers" does is to turn off everything but the ones you
allow on.
Christina
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users