FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 02-16-2011, 12:25 PM
Gerrard Geldenhuis
 
Default Remediating Encryption Levels

Hi
I am currently testing this but would like to double up my testing with any other experiences in the list.

A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.

I am testing whether this will have any effect on any connection within my setup that uses SSL, thus chaining, replication, console and general authentication from CentOS and Red Hat clients.

My understanding is that having those lower levels like DES 56 enabled allows such a connection but the connection encryption level will be determined by what the client initiates if supported at the server. So if the client initiates a 128bit RC4 it will be a 128bit RC4 connection. With this in mind what would be the default level of encryption if the client is "internal" to the 389DS. Thus would be the encryption level for chaining and replication and connecting to the console.

If an encryption level is not supported what is the negotiating logic to determine a working connection?

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 02-16-2011, 03:13 PM
Andrey Ivanov
 
Default Remediating Encryption Levels

Hi Gerrard,

here is what we do to disable the weak encryptions :


Admin server :
dn: cn=encryption, cn=configuration, cn=admin-serv-ldap-<id>, cn=389
administration server, cn=server
group,cn=ldap-<id>.example.com,ou=example.com,o=netscaperoot

nsSSL2: off
nsSSL3: on
nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_rc4_40_md5,
+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5



389 Server :
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,+rsa_des_sha,
+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha ,+fortezza,+fortezza_rc4_128_sha,
+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha ,+tls_rsa_export1024_with_des_cbc_sha,
-rc4,-rc4export,-rc2,-rc2export,-des,-desede3



I think it is possible to disable these algorithmes via console but i
have not tried...

@+

2011/2/16 Gerrard Geldenhuis <Gerrard.Geldenhuis@betfair.com>:
> Hi
> I am currently testing this but would like to double up my testing with any other experiences in the list.
>
> A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 10:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org