Centos – How to disable Null and Weak Ciphers on 389-Directory-Server

389-dscentosencryptionfreeipassl

I am running 389-DS on CentOS. Version – '389-ds-base.i686 1.2.11.15-34.el6_5'. Security scans revealed that NullCiphers were found on Port 389 and 636.

I tried to disable them by shutting down DS, editing the 'nsSSL3Ciphers' on all '/etc/dirsrv/slapd-/dse.ldif' files, and starting DS. nsSSL3Ciphers looks like this now –

modifyTimestamp: 20140915221826Z
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fo
 rtezza_rc4_128_sha,-fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rs
 a_export1024_with_des_cbc_sha
numSubordinates: 1

Scans are still showing Null Cipher on those 2 ports.

Here is the list of null SSL ciphers supported by the remote server :
  Null Ciphers (no encryption)
    TLSv1
      NULL-SHA                     Kx=RSA         Au=RSA      Enc=None                 Mac=SHA1   
The fields above are :
  {OpenSSL ciphername}
Port
389 / tcp / ldap    
636 / tcp / ldap

Any ideas on how i can disable these Null ciphers?

Best Answer

You can either fix the ciphers manually as suggested in other answer or, when applicable, simply upgrade to FreeIPA 4.0.3 which fixes the ciphers out of the box (upstream ticket).

This is what I get with FreeIPA 4.0.3 or 4.1.0 Alpha1:

# nmap --script ssl-cert,ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-09 01:52 EDT
Nmap scan report for ipa.mkosek-rhel71.test (10.16.78.57)
Host is up (0.000092s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-cert: Subject: commonName=ipa.mkosek-rhel71.test/organizationName=MKOSEK-RHEL71.TEST
| Issuer: commonName=Certificate Authority/organizationName=MKOSEK-RHEL71.TEST
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2014-10-09T04:52:15+00:00
| Not valid after:  2016-10-09T04:52:15+00:00
| MD5:   0fc7 afd6 343b 9e51 abd0 3ba1 7bde 3c25
|_SHA-1: 246a 02f2 1663 3ca9 e97b cdd4 887e 6e10 7685 5627
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

Related Solutions

Ssl – Disabling weak ciphers on Windows 2003

I believe it is all or nothing but if you disable the RC2/128 and RC4/128 ciphers, will that help? The 128 but RCx ciphers are considered medium-grade while ciphers like AES-128 are still considered high encryption. (I must confess, I don't know what the scoring system is based on)

Ldap – 389 Directory Server Administrative Limit Exceeded error

From what I understood, you are not able to get all entries. Looks like your are hitting admin limit exceeded.

If you want to search from a non-cn=Directory manager user. you need to add some attributes to user like below.

/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: uid=test2,ou=People,dc=example,dc=com
changetype: modify
add: nssizelimit
nssizelimit: -1
-
add: nslookthroughlimit
nslookthroughlimit: -1

Best Answer

Related Solutions

Ssl – Disabling weak ciphers on Windows 2003

Ldap – 389 Directory Server Administrative Limit Exceeded error

Related Topic