Auerbach, Steven via FreeIPA-users wrote:
I have tried to set this server to clear SecureWorks
Vulnerabilities.
This warning I do not understand. I have the following in nss.conf:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
NSSCipherSuite
+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
# SSL Protocol:
NSSProtocol TLSv1.2
When I execute openssl s_client -connect 127.0.0.1:636 tlsv1 (or
tlsv1_1) I get a successful response of my certificate, a handshake,
and a 0 return code. SecureWorks reports SSL/TLS Server supports
TLSv1.0 port 636/tcp over SSL (LDAP port). What have I done wrong
here? Would the syntax
NSSProtocol ALL +TLSv1.2 work better?
You are tweaking the Apache TLS configuration and testing the LDAP TLS
port 636.
You can set the minimum TLS version in LDAP with:
$ ldapmodify -x -D 'cn=directory manager' -W
LDAP Password:
dn: cn=encryption,cn=config
changetype: modify
replace: sslVersionMin
sslVersionMin: TLS1.2
^D
$ sudo systemctl restart dirsrv.target
rob