mdsah

Q: Security Scan found Weak and Medium strength ciphers port 389&636

After a recent security scan on one of our Apple Servers running 10.9.5 (Mavericks) it has reported weak and medium strength ciphers on port 389&636 and also that SSLv2 and SSLv3 is enabled. The Server is running Profile Manager and therefore also Open Directory although we are not really using Open Directory for authentication as we have AD within the organisation.

 

My question is how can I modify Open Directory to only use HIGH ciphers and not MEDIUM or LOW? I have found the httpd-ssl.conf file but that is only listening on port 443. I have also found the slapd.conf but can't see where I would make the change.

 

Any help would be greatly appreciated.

 

Thanks

Server APP, OS X Mavericks (10.9.5)

Posted on Jan 19, 2015 3:20 AM

Close

Q: Security Scan found Weak and Medium strength ciphers port 389&636

  • All replies
  • Helpful answers

Page 1 Next
  • by Linc Davis,Helpful

    Linc Davis Linc Davis Jan 19, 2015 1:47 PM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 19, 2015 1:47 PM in response to mdsah

    Those services are not exposed to the Internet and it should make little difference how secure they are. In any case, they are plenty secure enough and you can't make them more so. A more meaningful security test would be to scan the external ports of your gateway.

  • by mdsah,

    mdsah mdsah Jan 19, 2015 11:18 PM in response to Linc Davis
    Level 1 (0 points)
    Jan 19, 2015 11:18 PM in response to Linc Davis

    Thanks Linc.

     

    The server is running Profile Manager with a webpage accessible to the outside world and we use our admin credentials to authentic into it so I wonder if this is their concern? They have also mentioned that SSLv3 is enabled on port 443 which they don't like.

     

    They have now told me to edit the sldap.conf file to edit the use of SSL and ciphers but I can't seem to see what I can change to sort the issue.

     

    Appreciate any advice.

     

    Thanks

  • by Linc Davis,

    Linc Davis Linc Davis Jan 20, 2015 7:21 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 20, 2015 7:21 AM in response to mdsah

    There is a vulnerability ("POODLE") in some implementations of SSLv3, but it's been patched on all Apple devices. What the security auditors are telling you to do is unnecessary, but you will of course never convince them of that. I suggest you take down the public web portal and instead access it via VPN, using the built-in VPN service.

  • by mdsah,

    mdsah mdsah Jan 20, 2015 7:26 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 20, 2015 7:26 AM in response to Linc Davis

    Thanks Linc.

     

    That won't work as they are saying their main concern is the ldap service from within the network. They feel SSLv2 is not safe and want it disabled along with only HIGH ciphers used.

  • by Linc Davis,

    Linc Davis Linc Davis Jan 20, 2015 7:35 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 20, 2015 7:35 AM in response to mdsah

    I don't know of any way you can make that change. You're dealing with people who don't know how to do their job.

  • by mdsah,

    mdsah mdsah Jan 20, 2015 8:20 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 20, 2015 8:20 AM in response to Linc Davis

    Tell me about it.

     

    We've had this before when they ran a security scan on a web server and reported SSL version issues and after a lot of running around in circles it transpired the scanner was only looking at the version headers and that apple had been back porting the vunrebilities so it was a non issue. What can I do though? They essentially want me to re-write the sldap.conf file which I dont have enough Unix knowledge to do.

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Jan 20, 2015 8:45 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 20, 2015 8:45 AM in response to mdsah

    See the section headed "TLS OPTIONS" in the slapd.conf(5) man page. Changing that file will certainly have no effect on the security of your network, because it won't change what the clients do. It may cause Open Directory to stop working altogether, which I suppose is more secure, in a way.

  • by mdsah,

    mdsah mdsah Jan 20, 2015 9:13 AM in response to mdsah
    Level 1 (0 points)
    Jan 20, 2015 9:13 AM in response to mdsah

    How do I call that file? I've tried terminal sudo nano /etc/openldap/slapd.conf but I cant see the TLS OPTIONS your referring to.

  • by Linc Davis,

    Linc Davis Linc Davis Jan 20, 2015 9:59 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 20, 2015 9:59 AM in response to mdsah

    That's a heading in the man page, not in the file itself.

  • by mdsah,

    mdsah mdsah Jan 20, 2015 10:50 PM in response to Linc Davis
    Level 1 (0 points)
    Jan 20, 2015 10:50 PM in response to Linc Davis

    Ok thanks Linc, I appreciate your advice. I can't even see where the Ciphers are defined for ldap. Is it fair to assume that the openssl settings are generic between all service like Apache and Openldap?

  • by Linc Davis,

    Linc Davis Linc Davis Jan 21, 2015 9:00 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 21, 2015 9:00 AM in response to mdsah

    The slapd settings only affect LDAP.

  • by mdsah,

    mdsah mdsah Jan 21, 2015 9:42 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 21, 2015 9:42 AM in response to Linc Davis

    So would you believe it I've managed to get it working. I wanted to see if Yosemite suffered from the same 'issues' that Mavericks does with SSLv2 & SSLv3 support. Also the weak ciphers bsing used. Well they scannex that server and found exactly the same 'issues' as before. So I started working on it this morning editing slapd.conf, slapd.conf.default, slapd_macosxserver.conf and apache-ssl.conf it might sound overkill but I thought what the ****. I added the following lines to all conf files:

    SSLProtocol ALL -SSLv2

    SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

    TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3


    and and it worked. Passed the scan with flying colours however might need to mod SLLv3 to keep theM happy.


    I need to replicate this on a Mavericks Server so hope the jist is the same.


    thanks for the advice Linc.

  • by Linc Davis,

    Linc Davis Linc Davis Jan 21, 2015 11:54 AM in response to mdsah
    Level 10 (207,926 points)
    Applications
    Jan 21, 2015 11:54 AM in response to mdsah

    Thanks for the update.

  • by mdsah,

    mdsah mdsah Jan 22, 2015 4:01 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 22, 2015 4:01 AM in response to Linc Davis

    Sorry all it transpires the information I gave yesterday was wrong. Yosemite is inherently more secure and has SSLv2 disabled as default. So the simple solution is to either upgrade your server to Yosemite or migrate your data to a new server running Yosemite assuming your IT security folks are as helpful as mine.

Page 1 Next