Hi, I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a CentOS 6.5 machine. I am scanning my internal networks in order to find vulnerabilities, and trying to fix anything I find. I have found that the HTTPS pki-ca administration interfaces listening on ports 9444 and 9445 were accepting what might be considered as weak ciphers (RC4) for data encryption. I removed those ciphers from /etc/pki-ca/server.xml, and then restarded the daemon, but this had no effects whatsoever on the ciphers availables on these SSL ports. I searched a bit around /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make my changes in order to disable RC4 ciphers for those administration interfaces. I also searched on the Internet & asked on the IRC channel about this issue, with no succes, so here I am. Has anyone already found a way to do this ? Regards,

Le 03/04/2014 17:14, Christina Fu a écrit : > Did you try turning on the strictCiphers and FIPS mode? > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... > > > Search for the word "strictCiphers" and follow the instruction there. > For nss softtoken you just need to do steps 14, 15, and 16. Stop > server before you begin and start after you are done. > > hope this helps, > Christina > > On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >> Hi, >> >> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >> CentOS 6.5 machine. I am scanning my internal networks in order to >> find vulnerabilities, and trying to fix anything I find. I have >> found that the HTTPS pki-ca administration interfaces listening on >> ports 9444 and 9445 were accepting what might be considered as weak >> ciphers (RC4) for data encryption. >> >> I removed those ciphers from /etc/pki-ca/server.xml, and then >> restarded the daemon, but this had no effects whatsoever on the >> ciphers availables on these SSL ports. I searched a bit around >> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >> my changes in order to disable RC4 ciphers for those administration >> interfaces. >> >> I also searched on the Internet & asked on the IRC channel about >> this issue, with no succes, so here I am. Has anyone already found a >> way to do this ? >> >> Regards, >> > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Hi Christina, I just did the things listed in the documentation you gave me0, the only effect it had were that SSLv3 related ciphers were disabled. I still have the TLSv1 ciphers using RC4 available obviously

On 04/03/2014 01:12 PM, Marc Sauton wrote: > On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >> Le 03/04/2014 17:14, Christina Fu a écrit : >>> Did you try turning on the strictCiphers and FIPS mode? >>> >>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... >>> >>> >>> Search for the word "strictCiphers" and follow the instruction >>> there. For nss softtoken you just need to do steps 14, 15, and 16. >>> Stop server before you begin and start after you are done. >>> >>> hope this helps, >>> Christina >>> >>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>> Hi, >>>> >>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on a >>>> CentOS 6.5 machine. I am scanning my internal networks in order to >>>> find vulnerabilities, and trying to fix anything I find. I have >>>> found that the HTTPS pki-ca administration interfaces listening on >>>> ports 9444 and 9445 were accepting what might be considered as >>>> weak ciphers (RC4) for data encryption. >>>> >>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>> restarded the daemon, but this had no effects whatsoever on the >>>> ciphers availables on these SSL ports. I searched a bit around >>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to make >>>> my changes in order to disable RC4 ciphers for those >>>> administration interfaces. >>>> >>>> I also searched on the Internet & asked on the IRC channel about >>>> this issue, with no succes, so here I am. Has anyone already found >>>> a way to do this ? >>>> >>>> Regards, >>>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> Hi Christina, >> >> I just did the things listed in the documentation you gave me0, the >> only effect it had were that SSLv3 related ciphers were disabled. I >> still have the TLSv1 ciphers using RC4 available obviously >> > Is it possible in the file /etc/pki-ca/server.xml > there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for > ssl3Ciphers > tls3Ciphers > ? > Thanks, > M. > yes, that's exactly that. Just remove the ones from tls3Ciphers. What the "strictCiphers" does is to turn off everything but the ones you allow on. Christina > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users

Le 04/04/2014 00:26, Christina Fu a écrit : > I just checked out the tomcatjss off IPA_v2_RHEL_6_ERRATA_BRANCH. It > appears that it's missing the strictCiphers implementation. > > I will file a RHEL 6.5 bug for it and hopefully get it fixed. > > Christina > > > On 04/03/2014 02:03 PM, Christina Fu wrote: >> >> On 04/03/2014 01:12 PM, Marc Sauton wrote: >>> On 04/03/2014 09:09 AM, Thibaut Pouzet wrote: >>>> Le 03/04/2014 17:14, Christina Fu a écrit : >>>>> Did you try turning on the strictCiphers and FIPS mode? >>>>> >>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy... >>>>> >>>>> >>>>> Search for the word "strictCiphers" and follow the instruction >>>>> there. For nss softtoken you just need to do steps 14, 15, and >>>>> 16. Stop server before you begin and start after you are done. >>>>> >>>>> hope this helps, >>>>> Christina >>>>> >>>>> On 04/03/2014 08:02 AM, Thibaut Pouzet wrote: >>>>>> Hi, >>>>>> >>>>>> I am currently using pki-ca v9.0.3-32 with FreeIPA v3.0.0.-37 on >>>>>> a CentOS 6.5 machine. I am scanning my internal networks in >>>>>> order to find vulnerabilities, and trying to fix anything I >>>>>> find. I have found that the HTTPS pki-ca administration >>>>>> interfaces listening on ports 9444 and 9445 were accepting what >>>>>> might be considered as weak ciphers (RC4) for data encryption. >>>>>> >>>>>> I removed those ciphers from /etc/pki-ca/server.xml, and then >>>>>> restarded the daemon, but this had no effects whatsoever on the >>>>>> ciphers availables on these SSL ports. I searched a bit around >>>>>> /etc/pki-ca/ and /var/lib/pki-ca/ but could not find where to >>>>>> make my changes in order to disable RC4 ciphers for those >>>>>> administration interfaces. >>>>>> >>>>>> I also searched on the Internet & asked on the IRC channel about >>>>>> this issue, with no succes, so here I am. Has anyone already >>>>>> found a way to do this ? >>>>>> >>>>>> Regards, >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Pki-users mailing list >>>>> Pki-users(a)redhat.com >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >>>> >>>> Hi Christina, >>>> >>>> I just did the things listed in the documentation you gave me0, >>>> the only effect it had were that SSLv3 related ciphers were >>>> disabled. I still have the TLSv1 ciphers using RC4 available >>>> obviously >>>> >>> Is it possible in the file /etc/pki-ca/server.xml >>> there is till a trace of +SSL3_RSA_WITH_RC4_128_SHA for >>> ssl3Ciphers >>> tls3Ciphers >>> ? >>> Thanks, >>> M. >>> >> >> yes, that's exactly that. Just remove the ones from tls3Ciphers. >> What the "strictCiphers" does is to turn off everything but the ones >> you allow on. >> >> Christina Hi, Marc : I removed all RC4 ciphers from the file with the vim command %s/+[A-Z_312568]*RC4[A-Z_123568]*,//g and double-checked a couple of time, there is no way I missed this and that there are still RC4 ciphers manually enabled inside this file. Christina : Allright, let us know when you filled the bug with the technical elements you found ! I'll be glad to follow this, thank you for your time searching for this ! Cheers,