Hi   A recent security scan has shown that our FreeIPA server is using 3DES SSL ciphers on port 8443, which I understand to be used by the DogTag PKI component of IPA.   The question is, how can I configure the SSL Ciphers used by DogTag (e.g to remove 3DES ciphers)?   I have found several files configuration files which initially look promising   1) /usr/share/pki/server/conf/ciphers.info This has defaults for the setting sslRangeCiphers, but I guess this is over-ridden by one of the configs below. Interestingly this file seems to disable all 3DES ciphers. 2) /usr/share/pki/server/conf/server.xml This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS, which I have no idea where they come from. sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" 3) /etc/pki/pki-tomcat/server.xml This file has an explicit list of ciphers sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"   However I am not sure if this file, or 2) above is being used by DogTag. We are running: DogTag on Apache Tomcat/7.0.76 pki-server 10.5.9-6 ipa-server 4.6.4 OEL 7.2 (Maipo)

Thanks Rob   My problem was which of the various server.xmls instances is pki-tomcat using. However I think I have worked it out:   "ps -ef | grep tomcat" shows that catalina.base=/var/lib/pki/pki-tomcat.   The directory /var/lib/pki/pki-tomcat/conf is a link to /etc/pki/pki-tomcat   i.e the "active" server.xml (and the one I need to edit) is /etc/pki/pki-tomcat/server.xml. Thankfully, this is the instance with the explicit list for sslRangeCiphers   Could you be more specific about "we don't recommend mixing packages between OS releases"?   Is one of the packages I listed not the expected version? We have not knowingly fiddled around with the package versions.   However, looking at the yum history, when I last updated ipa-server in January 2019, the update aborted with "warning: %posttrans(ipa-server-4.6.4-10.0.1.el7.x86_64) scriptlet failed, signal 2", so this might account for a package not being upgraded as expected.

  Cheers   Chris           ----- Original message ----- From: Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Christopher Lamb <christopher.lamb(a)ch.ibm.com&gt;, Rob Crittenden <rcritten(a)redhat.com&gt; Subject: [Freeipa-users] Re: Configuring SSL Ciphers for FreeIPA / DogTag on port 8443 Date: Wed, Mar 13, 2019 1:40 PM   Christopher Lamb via FreeIPA-users wrote: > Hi >   > A recent security scan has shown that our FreeIPA server is using 3DES > SSL ciphers on port 8443, which I understand to be used by the DogTag > PKI component of IPA. >   > The question is, how can I configure the SSL Ciphers used by DogTag (e.g > to remove 3DES ciphers)? >   > I have found several files configuration files which initially look > promising >   > 1) /usr/share/pki/server/conf/ciphers.info > This has defaults for the setting sslRangeCiphers, but I guess this is > over-ridden by one of the configs below. Interestingly this file seems > to disable all 3DES ciphers. > > 2) /usr/share/pki/server/conf/server.xml > This has settings using constants such as TOMCAT_SSL_RANGE_CIPHERS, > which I have no idea where they come from. > sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" > sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" > sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" > > 3) /etc/pki/pki-tomcat/server.xml > This file has an explicit list of ciphers > sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" >   > However I am not sure if this file, or 2) above is being used by DogTag. > > We are running: > DogTag on Apache Tomcat/7.0.76 > pki-server 10.5.9-6 > ipa-server 4.6.4 > OEL 7.2 (Maipo) server.xml is the way to change this. Replace the + with a - and restart the service. You'll need to make this change on all masters with a CA, and all future masters with a CA. As an aside, generally speaking we don't recommend mixing packages between OS releases. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...     _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...