I am running 389-DS on CentOS. Version – '389-ds-base.i686 1.2.11.15-34.el6_5'. Security scans revealed that NullCiphers were found on Port 389 and 636.
I tried to disable them by shutting down DS, editing the 'nsSSL3Ciphers' on all '/etc/dirsrv/slapd-/dse.ldif' files, and starting DS. nsSSL3Ciphers looks like this now –
modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
a_export1024_with_des_cbc_sha
numSubordinates: 1
Scans are still showing Null Cipher on those 2 ports.
Here is the list of null SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
TLSv1
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Port
389 / tcp / ldap
636 / tcp / ldap
Any ideas on how i can disable these Null ciphers?
Best Answer
You can either fix the ciphers manually as suggested in other answer or, when applicable, simply upgrade to FreeIPA 4.0.3 which fixes the ciphers out of the box (upstream ticket).
This is what I get with FreeIPA 4.0.3 or 4.1.0 Alpha1: