389-DS/FreeIPA, disabling NULL and weak SSL ciphers

By default a 389-DS/ns-slapd installation will support a number of different encryption and authentication in order to support older clients. In particular it will permit use of the NULL cipher, I’m still not certain why because as implied it does not actually do anything, it means that while authentication may (if configured properly!) occur between client and server the data exchanged between them will not be encrypted at all.

This is useful if troubleshooting a problem but should not in my opinion be permitted at any other time as it leaves a window for packet sniffers to sniff transactions and MiTM attacks to operate effectively.

It will also be an issue if you’re being audited with standards like PCI-DSS – all of the automated scanners which produce reports will identify the weak and NULL cipher issue and you will have to correct it to be marked compliant.

An up to date install will produce typical output from sslscan something like this,

[root@fedora16 ~]# sslscan --no-failed localhost:636

[%REMOVED%]

Testing SSL server localhost on port 636

 Supported Server Cipher(s):  
 Accepted TLSv1 256 bits AES256-SHA  
 Accepted TLSv1 168 bits DES-CBC3-SHA  
 Accepted TLSv1 128 bits AES128-SHA  
 Accepted TLSv1 128 bits RC4-SHA  
 Accepted TLSv1 128 bits RC4-MD5  
 Accepted TLSv1 56 bits DES-CBC-SHA  
 Accepted TLSv1 40 bits EXP-RC2-CBC-MD5  
 Accepted TLSv1 40 bits EXP-RC4-MD5  
 Accepted TLSv1 0 bits NULL-SHA

 Prefered Server Cipher(s):  
 TLSv1 256 bits AES256-SHA

[%REMOVED%]

[root@fedora16 ~]#

If you’re running a very recent version in which a Dogtag CA is included, there is an different dirsrv/slapd installation for the CA running on TCP ports 7389/7390. You’ll find the same issue with it there and can fix it in the same way for your main TCP/636 listener.

So post-install we need to modify the 389/LDAP server configuration to limit ciphers to AES128/256 and RC4 with SHA. I’m leaving RC4/SHA enabled and 3DES/SHA enabled as they are often required by older Windows systems or other applications.

RC4/SHA would also be good to have for BEAST attack mitigation however I’m yet to work out how to configure cipher priority so that means it’s really only enabled in my post here for backwards compatability.

While you can apparently use various GUI tools to admin 389-ds installs and change ciphers, I’ve previously had endless troubles using them, and believe the additional services are unnecessary and present their own risks.

So on the CLI you can use ldapmodify, which will modify /etc/dirsrv/slapd-[%REALM%]/dse.ldif, a backup of which should also have already been copied automatically, during install or last configuration, to /etc/dirsrv/slapd-[%REALM%]/dse.ldif.startOK.

Another copy of it sent to /root or similar doesn’t hurt either.

If startup fails with the new modified dse.ldif, copy the dse.ldif.startOK back to dse.ldif, restart and try again – most probably you ldapmodify’ed the config with a syntactically correct .ldif but one which the server doesn’t like for some other reason.

Some other reference info on 389-DS SSL configuration is available here:
fedoraproject://Configuring_SSL_Enabled_Fedora_Directory_Server

I use sslscan to check the SSL/TLS versions supported and which ciphers are supported/permitted by the server. You can install this on hosts to scan the IPA servers, and/or the IPA servers themselves. sslyze is another great tool and the latest SVN versions support TLS 1.1 and 1.2 also.

Start by obtaining a list of the combinations that your dirsrv install supports, similar to the below:

[root@fedora16 ~]# ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" "nsSSLSupportedCiphers"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: nsSSLSupportedCiphers

# encryption, config  
 dn: cn=encryption,cn=config  
 nsSSLSupportedCiphers: SSL3::rc4::RC4::MD5::128  
 nsSSLSupportedCiphers: SSL3::rc4export::RC4::MD5::128  
 nsSSLSupportedCiphers: SSL3::rc2::RC2::MD5::128  
 nsSSLSupportedCiphers: SSL3::rc2export::RC2::MD5::128  
 nsSSLSupportedCiphers: SSL3::des::DES::MD5::64  
 nsSSLSupportedCiphers: SSL3::desede3::3DES::MD5::192  
 nsSSLSupportedCiphers: SSL3::rsa_rc4_128_md5::RC4::MD5::128  
 nsSSLSupportedCiphers: SSL3::rsa_rc4_128_sha::RC4::SHA1::128  
 nsSSLSupportedCiphers: SSL3::rsa_3des_sha::3DES::SHA1::192  
 nsSSLSupportedCiphers: SSL3::rsa_des_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::rsa_fips_3des_sha::3DES::SHA1::192  
 nsSSLSupportedCiphers: SSL3::fips_3des_sha::3DES::SHA1::192  
 nsSSLSupportedCiphers: SSL3::rsa_fips_des_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::fips_des_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::rsa_rc4_40_md5::RC4::MD5::128  
 nsSSLSupportedCiphers: SSL3::rsa_rc2_40_md5::RC2::MD5::128  
 nsSSLSupportedCiphers: SSL3::rsa_null_md5::NULL::MD5::0  
 nsSSLSupportedCiphers: SSL3::rsa_null_sha::NULL::SHA1::0  
 nsSSLSupportedCiphers: TLS::tls_rsa_export1024_with_rc4_56_sha::RC4::SHA1::128  
 nsSSLSupportedCiphers: TLS::rsa_rc4_56_sha::RC4::SHA1::128  
 nsSSLSupportedCiphers: TLS::tls_rsa_export1024_with_des_cbc_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: TLS::rsa_des_56_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::fortezza::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::fortezza_rc4_128_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::fortezza_null::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::dhe_dss_des_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::dhe_dss_3des_sha::3DES::SHA1::192  
 nsSSLSupportedCiphers: SSL3::dhe_rsa_des_sha::DES::SHA1::64  
 nsSSLSupportedCiphers: SSL3::dhe_rsa_3des_sha::3DES::SHA1::192  
 nsSSLSupportedCiphers: TLS::tls_rsa_aes_128_sha::AES::SHA1::128  
 nsSSLSupportedCiphers: TLS::rsa_aes_128_sha::AES::SHA1::128  
 nsSSLSupportedCiphers: TLS::tls_dhe_dss_aes_128_sha::AES::SHA1::128  
 nsSSLSupportedCiphers: TLS::tls_dhe_rsa_aes_128_sha::AES::SHA1::128  
 nsSSLSupportedCiphers: TLS::tls_rsa_aes_256_sha::AES::SHA1::256  
 nsSSLSupportedCiphers: TLS::rsa_aes_256_sha::AES::SHA1::256  
 nsSSLSupportedCiphers: TLS::tls_dhe_dss_aes_256_sha::AES::SHA1::256  
 nsSSLSupportedCiphers: TLS::tls_dhe_rsa_aes_256_sha::AES::SHA1::256  
 nsSSLSupportedCiphers: TLS::tls_dhe_dss_1024_rc4_sha::RC4::SHA1::128  
 nsSSLSupportedCiphers: TLS::tls_dhe_dss_rc4_128_sha::RC4::SHA1::128

# RSA, encryption, config  
 dn: cn=RSA,cn=encryption,cn=config

# search result  
 search: 2  
 result: 0 Success

# numResponses: 3  
# numEntries: 2  
[root@fedora16 ~]#

From this list you can extract the names with underscores and prefix them as appropriate.

Dash led entries remove the particular cipher from the enabled list. Plus led entries enable a cipher. There does not appear to be any relevance to ordering.

You should review your current dse.ldif and generate the changes necessary based on it. The below has example ensures SSL 2/3 are disabled along with the ciphers we do not want to permit.

After a successful ldapmodify you will need to restart dirsrv and possibly any dependent services which may fall over while the slapd is unavailable. Which usually means ipa, ipa_kpasswd and krb5kdc. How you do that will depend on your installation and whether recent versions have fixed all of those issues.

Example:

[root@fedora16 ~]# cat cipher_patch.ldif
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,+tls_dhe_dss_1024_rc4_sha,+tls_dhe_dss_rc4_128_sha
[root@fedora16 ~]# ldapmodify -x -D "cn=directory manager" -W  -f cipher_patch.ldif
Enter LDAP Password:
modifying entry "cn=encryption,cn=config"
[root@fedora16 ~]# systemctl restart dirsrv@ROUTEDLOGIC-NET.service  
[root@fedora16 ~]# tail -n 5 /var/log/dirsrv/slapd-ROUTEDLOGIC-NET/errors  
[04/Apr/2012:03:17:57 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=routedlogic,dc=net--no CoS Templates found, which should be added before the CoS Definition.  
[04/Apr/2012:03:17:57 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=routedlogic,dc=net--no CoS Templates found, which should be added before the CoS Definition.  
[04/Apr/2012:03:17:57 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests   
[04/Apr/2012:03:17:57 +0000] - Listening on All Interfaces port 636 for LDAPS requests  
[04/Apr/2012:03:17:57 +0000] - Listening on /var/run/slapd-ROUTEDLOGIC-NET.socket for LDAPI requests  
[root@fedora16 ~]# sslscan --no-failed localhost:636

[%REMOVED%]

Testing SSL server localhost on port 636

 Supported Server Cipher(s):  
 Accepted TLSv1 256 bits AES256-SHA  
 Accepted TLSv1 168 bits DES-CBC3-SHA  
 Accepted TLSv1 128 bits AES128-SHA  
 Accepted TLSv1 128 bits RC4-SHA

 Prefered Server Cipher(s):  
 TLSv1 256 bits AES256-SHA

[%REMOVED%]

[root@fedora16 ~]#
Author image
About colin-stubbs