Re: [Pki-users] Disable the cipher RC4 for the web interface

Le 03/04/2014 17:14, Christina Fu a écrit : > Did you try turning on the strictCiphers and FIPS mode? > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... > > > Search for the word "strictCiphers" and follow the instruction there. > For nss softtoken you just need to do steps 14, 15, and 16. Stop > server before you begin and start after you are done. > > hope this helps, > Christina > > On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >> Hi, >> >> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >> CentOS 6.5 machine. I am scanning my internal networks in order to >> find vulnerabilities, and trying to fix anything I find. I have >> found that the HTTPS pki-ca administration interfaces listening on >> ports 9444 and 9445 were accepting what might be considered as weak >> ciphers (RC4) for data encryption. >> >> I removed those ciphers from /etc/pki-ca/server.xml, and then >> restarded the daemon, but this had no effects whatsoever on the >> ciphers availables on these SSL ports. I searched a bit around >> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >> my changes in order to disable RC4 ciphers for those administration >> interfaces. >> >> I also searched on the Internet & asked on the IRC channel about >> this issue, with no succes, so here I am. Has anyone already found a >> way to do this ? >> >> Regards, >> > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi Christina, I just did the things listed in the documentation you gave me0, the only effect it had were that SSLv3 related ciphers were disabled. I still have the TLSv1 ciphers using RC4 available obviously