Re: [Pki-users] Disable the cipher RC4 for the web interface

I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It appears that it's missing the strictCiphers implementation. I will file a RHEL 6.5 bug for it and hopefully get it fixed. Christina On 04/03/2014 02:03 PM, Christina Fu wrote: > > On 04/03/2014 01:12 PM, Marc Sauton wrote: >> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >>> Le 03/04/2014 17:14, Christina Fu a écrit : >>>> Did you try turning on the strictCiphers and FIPS mode? >>>> >>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... >>>> >>>> >>>> Search for the word "strictCiphers" and follow the instruction >>>> there. For nss softtoken you just need to do steps 14, 15, and 16. >>>> Stop server before you begin and start after you are done. >>>> >>>> hope this helps, >>>> Christina >>>> >>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>>> Hi, >>>>> >>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on >>>>> a CentOS 6.5 machine. I am scanning my internal networks in order >>>>> to find vulnerabilities, and trying to fix anything I find. I >>>>> have found that the HTTPS pki-ca administration interfaces >>>>> listening on ports 9444 and 9445 were accepting what might be >>>>> considered as weak ciphers (RC4) for data encryption. >>>>> >>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>>> restarded the daemon, but this had no effects whatsoever on the >>>>> ciphers availables on these SSL ports. I searched a bit around >>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to >>>>> make my changes in order to disable RC4 ciphers for those >>>>> administration interfaces. >>>>> >>>>> I also searched on the Internet & asked on the IRC channel about >>>>> this issue, with no succes, so here I am. Has anyone already >>>>> found a way to do this ? >>>>> >>>>> Regards, >>>>> >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users(a)redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>> >>> Hi Christina, >>> >>> I just did the things listed in the documentation you gave me0, the >>> only effect it had were that SSLv3 related ciphers were disabled. I >>> still have the TLSv1 ciphers using RC4 available obviously >>> >> Is it possible in the file /etc/pki-ca/server.xml >> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for >> ssl3Ciphers >> tls3Ciphers >> ? >> Thanks, >> M. >> > > yes, that's exactly that. Just remove the ones from tls3Ciphers. > What the "strictCiphers" does is to turn off everything but the ones > you allow on. > > Christina