-
All replies
-
Helpful answers
-
Jan 19, 2015 1:47 PM in response to mdsahby Linc Davis,★HelpfulThose services are not exposed to the Internet and it should make little difference how secure they are. In any case, they are plenty secure enough and you can't make them more so. A more meaningful security test would be to scan the external ports of your gateway.
-
Jan 19, 2015 11:18 PM in response to Linc Davisby mdsah,Thanks Linc.
The server is running Profile Manager with a webpage accessible to the outside world and we use our admin credentials to authentic into it so I wonder if this is their concern? They have also mentioned that SSLv3 is enabled on port 443 which they don't like.
They have now told me to edit the sldap.conf file to edit the use of SSL and ciphers but I can't seem to see what I can change to sort the issue.
Appreciate any advice.
Thanks
-
Jan 20, 2015 7:21 AM in response to mdsahby Linc Davis,There is a vulnerability ("POODLE") in some implementations of SSLv3, but it's been patched on all Apple devices. What the security auditors are telling you to do is unnecessary, but you will of course never convince them of that. I suggest you take down the public web portal and instead access it via VPN, using the built-in VPN service.
-
Jan 20, 2015 7:26 AM in response to Linc Davisby mdsah,Thanks Linc.
That won't work as they are saying their main concern is the ldap service from within the network. They feel SSLv2 is not safe and want it disabled along with only HIGH ciphers used.
-
Jan 20, 2015 7:35 AM in response to mdsahby Linc Davis,I don't know of any way you can make that change. You're dealing with people who don't know how to do their job.
-
Jan 20, 2015 8:20 AM in response to Linc Davisby mdsah,Tell me about it.
We've had this before when they ran a security scan on a web server and reported SSL version issues and after a lot of running around in circles it transpired the scanner was only looking at the version headers and that apple had been back porting the vunrebilities so it was a non issue. What can I do though? They essentially want me to re-write the sldap.conf file which I dont have enough Unix knowledge to do.
-
Jan 20, 2015 8:45 AM in response to mdsahby Linc Davis,★HelpfulSee the section headed "TLS OPTIONS" in the slapd.conf(5) man page. Changing that file will certainly have no effect on the security of your network, because it won't change what the clients do. It may cause Open Directory to stop working altogether, which I suppose is more secure, in a way.
-
Jan 20, 2015 9:13 AM in response to mdsahby mdsah,How do I call that file? I've tried terminal sudo nano /etc/openldap/slapd.conf but I cant see the TLS OPTIONS your referring to.
-
Jan 20, 2015 9:59 AM in response to mdsahby Linc Davis,That's a heading in the man page, not in the file itself.
-
Jan 20, 2015 10:50 PM in response to Linc Davisby mdsah,Ok thanks Linc, I appreciate your advice. I can't even see where the Ciphers are defined for ldap. Is it fair to assume that the openssl settings are generic between all service like Apache and Openldap?
-
-
Jan 21, 2015 9:42 AM in response to Linc Davisby mdsah,So would you believe it I've managed to get it working. I wanted to see if Yosemite suffered from the same 'issues' that Mavericks does with SSLv2 & SSLv3 support. Also the weak ciphers bsing used. Well they scannex that server and found exactly the same 'issues' as before. So I started working on it this morning editing slapd.conf, slapd.conf.default, slapd_macosxserver.conf and apache-ssl.conf it might sound overkill but I thought what the ****. I added the following lines to all conf files:
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
and and it worked. Passed the scan with flying colours however might need to mod SLLv3 to keep theM happy.
I need to replicate this on a Mavericks Server so hope the jist is the same.
thanks for the advice Linc.
-
-
Jan 22, 2015 4:01 AM in response to Linc Davisby mdsah,Sorry all it transpires the information I gave yesterday was wrong. Yosemite is inherently more secure and has SSLv2 disabled as default. So the simple solution is to either upgrade your server to Yosemite or migrate your data to a new server running Yosemite assuming your IT security folks are as helpful as mine.