Christopher Lamb via FreeIPA-users wrote:
Hi A recent security scan has shown that our FreeIPA server is using 3DES SSL ciphers on port 8443, which I understand to be used by the DogTag PKI component of IPA. The question is, how can I configure the SSL Ciphers used by DogTag (e.g to remove 3DES ciphers)? I have found several files configuration files which initially look promising
- /usr/share/pki/server/conf/ciphers.info
This has defaults for the setting sslRangeCiphers, but I guess this is over-ridden by one of the configs below. Interestingly this file seems to disable all 3DES ciphers.
- /usr/share/pki/server/conf/server.xml
This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS, which I have no idea where they come from. sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
- /etc/pki/pki-tomcat/server.xml
This file has an explicit list of ciphers sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" However I am not sure if this file, or 2) above is being used by DogTag.
We are running: DogTag on Apache Tomcat/7.0.76 pki-server 10.5.9-6 ipa-server 4.6.4 OEL 7.2 (Maipo)
server.xml is the way to change this. Replace the + with a - and restart the service. You'll need to make this change on all masters with a CA, and all future masters with a CA.
As an aside, generally speaking we don't recommend mixing packages between OS releases.
rob
Christopher Lamb via FreeIPA-users wrote:
Thanks Rob My problem was which of the various server.xmls instances is pki-tomcat using. However I think I have worked it out: "ps -ef | grep tomcat" shows that catalina.base=/var/lib/pki/pki-tomcat. The directory /var/lib/pki/pki-tomcat/conf is a link to /etc/pki/pki-tomcat i.e the "active" server.xml (and the one I need to edit) is /etc/pki/pki-tomcat/server.xml. Thankfully, this is the instance with the explicit list for sslRangeCiphers Could you be more specific about "we don't recommend mixing packages between OS releases"? Is one of the packages I listed not the expected version? We have not knowingly fiddled around with the package versions. However, looking at the yum history, when I last updated ipa-server in January 2019, the update aborted with "warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet failed, signal 2", so this might account for a package not being upgraded as expected.
You specified OEL 7.2 as the release you are using. 4.6.4 was released with RHEL 7.6.
rob
Cheers Chris
----- Original message ----- From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Christopher Lamb <christopher.lamb@ch.ibm.com>, Rob Crittenden <rcritten@redhat.com> Subject: [Freeipa-users] Re: Configuring SSL Ciphers for FreeIPA / DogTag on port 8443 Date: Wed, Mar 13, 2019 1:40 PM Christopher Lamb via FreeIPA-users wrote: > Hi > > A recent security scan has shown that our FreeIPA server is using 3DES > SSL ciphers on port 8443, which I understand to be used by the DogTag > PKI component of IPA. > > The question is, how can I configure the SSL Ciphers used by DogTag (e.g > to remove 3DES ciphers)? > > I have found several files configuration files which initially look > promising > > 1) /usr/share/pki/server/conf/ciphers.info > This has defaults for the setting sslRangeCiphers, but I guess this is > over-ridden by one of the configs below. Interestingly this file seems > to disable all 3DES ciphers. > > 2) /usr/share/pki/server/conf/server.xml > This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS, > which I have no idea where they come from. > sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" > sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" > sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" > > 3) /etc/pki/pki-tomcat/server.xml > This file has an explicit list of ciphers > sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" > > However I am not sure if this file, or 2) above is being used by DogTag. > > We are running: > DogTag on Apache Tomcat/7.0.76 > pki-server 10.5.9-6 > ipa-server 4.6.4 > OEL 7.2 (Maipo) server.xml is the way to change this. Replace the + with a - and restart the service. You'll need to make this change on all masters with a CA, and all future masters with a CA. As an aside, generally speaking we don't recommend mixing packages between OS releases. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ke, 13 maalis 2019, Christopher Lamb via FreeIPA-users wrote:
30;47m Thanks Rob My problem was which of the various server.xmls instances is pki-tomcat using. However I think I have worked it out: "ps -ef | grep tomcat" shows that catalina.base=/var/lib/pki/pki-tomcat. The directory /var/lib/pki/pki-tomcat/conf is a link to /etc/pki/pki-tomcat i.e the "active" server.xml (and the one I need to edit) is /etc/pki/pki-tomcat/server.xml. Thankfully, this is the instance with the explicit list for sslRangeCiphers Could you be more specific about "we don't recommend mixing packages between OS releases"? Is one of the packages I listed not the expected version? We have not knowingly fiddled around with the package versions.
You listed ipa-server 4.6.4-10 and OL 7.2. I'm pretty sure there wasn't any kind of ipa-server 4.6 in RHEL 7.2. This means you did individual package updates instead of a distribution upgrade.
However, looking at the yum history, when I last updated ipa-server in January 2019, the update aborted with "warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet failed, signal 2", so this might account for a package not being upgraded as expected.
freeipa-users@lists.fedorahosted.org