Christopher Lamb via FreeIPA-users wrote:
Hi
A recent security scan has shown that our FreeIPA server is using 3DES
SSL ciphers on port 8443, which I understand to be used by the DogTag
PKI component of IPA.
The question is, how can I configure the SSL Ciphers used by DogTag (e.g
to remove 3DES ciphers)?
I have found several files configuration files which initially look
promising
1) /usr/share/pki/server/conf/ciphers.info
This has defaults for the setting sslRangeCiphers, but I guess this is
over-ridden by one of the configs below. Interestingly this file seems
to disable all 3DES ciphers.
2) /usr/share/pki/server/conf/server.xml
This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS,
which I have no idea where they come from.
sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]"
sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]"
sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]"
3) /etc/pki/pki-tomcat/server.xml
This file has an explicit list of ciphers
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
However I am not sure if this file, or 2) above is being used by DogTag.
We are running:
DogTag on Apache Tomcat/7.0.76
pki-server 10.5.9-6
ipa-server 4.6.4
OEL 7.2 (Maipo)
server.xml is the way to change this. Replace the + with a - and restart
the service. You'll need to make this change on all masters with a CA,
and all future masters with a CA.
As an aside, generally speaking we don't recommend mixing packages
between OS releases.
rob