mdsah

Q: Security Scan found Weak and Medium strength ciphers port 389&636

After a recent security scan on one of our Apple Servers running 10.9.5 (Mavericks) it has reported weak and medium strength ciphers on port 389&636 and also that SSLv2 and SSLv3 is enabled. The Server is running Profile Manager and therefore also Open Directory although we are not really using Open Directory for authentication as we have AD within the organisation.

 

My question is how can I modify Open Directory to only use HIGH ciphers and not MEDIUM or LOW? I have found the httpd-ssl.conf file but that is only listening on port 443. I have also found the slapd.conf but can't see where I would make the change.

 

Any help would be greatly appreciated.

 

Thanks

Server APP, OS X Mavericks (10.9.5)

Posted on Jan 19, 2015 3:20 AM

Close

Q: Security Scan found Weak and Medium strength ciphers port 389&636

  • All replies
  • Helpful answers

Previous Page 2
  • by ionepoch,

    ionepoch ionepoch Aug 24, 2016 10:02 AM in response to mdsah
    Level 1 (4 points)
    Aug 24, 2016 10:02 AM in response to mdsah

    From a prior answer:

     

    >> Those services are not exposed to the Internet and it should make little difference how secure they are.

    How do you know that the author of this question doesn't have his server exposed to the internet or a wider network?

     

    >> In any case, they are plenty secure enough

    Really?

     

    >> and you can't make them more so.

    Wrong

     

    I understand the answer-er basically means "for most people on an internal network, this is probably good enough" ... I get that...  but I don't think it's ideal to spread the message of weaker security today.

     

    So how do you fix this?

     

    Determine what the weakness is:

     

    When running https://testssl.sh/ against the ldap server:

     

    • /testssl.sh your.macserver.com:636

     

    Old Config Shows:

    SSLv2               not offered (OK)
     SSLv3               not offered (OK)
     TLS 1               offered
     TLS 1.1             offered
     TLS 1.2             offered (OK)
     Version tolerance   downgraded to TLSv1.2 (OK)
     SPDY/NPN            not offered
     HTTP2/ALPN          not offered
    
     Has server cipher order?     yes (OK)
     Negotiated protocol          TLSv1.2
     Negotiated cipher            AES256-GCM-SHA384
     Cipher order
        TLSv1:     AES256-SHA DHE-RSA-AES256-SHA AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
        TLSv1.1:   AES256-SHA DHE-RSA-AES256-SHA AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
        TLSv1.2:   AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES256-SHA256 AES256-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 AES128-SHA256 DHE-RSA-AES128-SHA256 AES128-SHA DHE-RSA-AES128-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
    

     

    The above doesn't actually look that bad... excepts for what we know about TLS 1.0.

     

    Now Fix It

     

    ** You cannot modify slapd.conf files directly... you must use the ldapmodify command ... otherwise you will get CRC checksum errors upon ldap boot when it realizes someone was screwing with the file **

     

    To fix this, we create an ldif file for the solution (and a rollback just in case):

     

    • vi slapd2.ldif  (Min TLS 1.2)
    dn: cn=config
    changetype: modify
    replace: olcTLSCipherSuite
    olcTLSCipherSuite:  TLS_RSA_WITH_NULL_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_RSA_WITH_AES_128_CBC_SHA256:TLS_DH_RSA_WITH_AES_256_CBC_SHA256:TLS_DH_RSA_WITH_AES_128_GCM_SHA256:TLS_DH_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_DSS_WITH_AES_128_CBC_SHA256:TLS_DH_DSS_WITH_AES_256_CBC_SHA256:TLS_DH_DSS_WITH_AES_128_GCM_SHA256:TLS_DH_DSS_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_DH_anon_WITH_AES_128_CBC_SHA256:TLS_DH_anon_WITH_AES_256_CBC_SHA256:TLS_DH_anon_WITH_AES_128_GCM_SHA256:TLS_DH_anon_WITH_AES_256_GCM_SHA384:RSA_WITH_AES_128_CCM:RSA_WITH_AES_256_CCM:DHE_RSA_WITH_AES_128_CCM:DHE_RSA_WITH_AES_256_CCM:RSA_WITH_AES_128_CCM_8:RSA_WITH_AES_256_CCM_8:DHE_RSA_WITH_AES_128_CCM_8:DHE_RSA_WITH_AES_256_CCM_8:ECDHE_ECDSA_WITH_AES_128_CCM:ECDHE_ECDSA_WITH_AES_256_CCM:ECDHE_ECDSA_WITH_AES_128_CCM_8:ECDHE_ECDSA_WITH_AES_256_CCM_8:TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
    

     

    • vi rollback.ldif  (this is only here just in case you want to revert - don't use this)
    # cat rollback.ldif 
    # This is technically weak!!!
    dn: cn=config
    changetype: modify
    replace: olcTLSCipherSuite
    olcTLSCipherSuite:  HIGH
    

     

    Now Make the Change

     

    Then, on the Mac, we execute the change:

     

    - You need to know the "diradmin" password for your mac directory server (see here if you don't have this)

    - dc=SERVERHOSTNAME,dc=COMPANY,dc=COM needs to be swapped out with your server info

    -- for example,  operations.yourcompany.com  would become dc=operations,dc=yourcompany,dc=com

     

    • ldapmodify -v -D "uid=diradmin,cn=users,dc=SERVERHOSTNAME,dc=COMPANY,dc=COM" -h 127.0.0.1 -W -f slapd2.ldif

     

    - The above will prompt you for the diradmin password.

     

    If successful... it will say something like this:

    ldap_initialize( ldap://127.0.0.1 )
    Enter LDAP Password: 
    replace olcTLSCipherSuite:
         TLS_RSA_WITH_NULL_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA256:TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_RSA_WITH_AES_128_CBC_SHA256:TLS_DH_RSA_WITH_AES_256_CBC_SHA256:TLS_DH_RSA_WITH_AES_128_GCM_SHA256:TLS_DH_RSA_WITH_AES_256_GCM_SHA384:TLS_DH_DSS_WITH_AES_128_CBC_SHA256:TLS_DH_DSS_WITH_AES_256_CBC_SHA256:TLS_DH_DSS_WITH_AES_128_GCM_SHA256:TLS_DH_DSS_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_DH_anon_WITH_AES_128_CBC_SHA256:TLS_DH_anon_WITH_AES_256_CBC_SHA256:TLS_DH_anon_WITH_AES_128_GCM_SHA256:TLS_DH_anon_WITH_AES_256_GCM_SHA384:RSA_WITH_AES_128_CCM:RSA_WITH_AES_256_CCM:DHE_RSA_WITH_AES_128_CCM:DHE_RSA_WITH_AES_256_CCM:RSA_WITH_AES_128_CCM_8:RSA_WITH_AES_256_CCM_8:DHE_RSA_WITH_AES_128_CCM_8:DHE_RSA_WITH_AES_256_CCM_8:ECDHE_ECDSA_WITH_AES_128_CCM:ECDHE_ECDSA_WITH_AES_256_CCM:ECDHE_ECDSA_WITH_AES_128_CCM_8:ECDHE_ECDSA_WITH_AES_256_CCM_8:TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
    modifying entry "cn=config"
    modify complete
    

     

    Next Restart LDAP

     

    Next, kick slapd... don't worry.. it should instantaneously restart:

    # ps ax | grep slapd
    34742   ??  Ss     0:00.81 /usr/libexec/slapd -d 0 -h ldap:/// ldapi://%2Fvar%2Frun%2Fldapi
    34814 s001  S+     0:00.00 grep slapd
    
    # kill 34742
    
    # ps ax | grep slapd
    34753   ??  Ss     0:00.81 /usr/libexec/slapd -d 0 -h ldap:/// ldapi://%2Fvar%2Frun%2Fldapi
    34819 s001  S+     0:00.00 grep slapd
    
    ## ^^^ see... launchd or whatever auto-restarts slapd for us
    

     

    Then .. tail the opendirectory slapd log to see if there are any errors... this looks normal-ish

    # tail -n100 -f /var/log/slapd.log
    
    
    # This is good-ish:
    Aug 23 15:47:09 -- slapd[34742]: daemon: SLAP_SOCK_INIT: dtblsize=8192
    Aug 23 15:47:09 -- slapd[34742]: PROXIED attributeDescription "DC" inserted.
    Aug 23 15:47:09 -- slapd[34742]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:blah.yourcompany.com"
    Aug 23 15:47:09 -- slapd[34742]: slap_add_listener: opened additional listener 'ldaps:///'
    Aug 23 15:47:09 -- slapd[34742]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
    Aug 23 15:47:09 -- slapd[34742]: slapd starting
    Aug 23 15:47:09 -- slapd[34742]: daemon: posting com.apple.slapd.startup notification
    
    
    # If you screwed up... you'll see errors like this  (i'm just putting this here so you get the idea of what a problem would look like)
    ***** Aug 23 15:33:42 -- slapd[34547]: TLS: could not parse cipher spec AES256-SHA (check TLSCipherSuite setting) *****
    ***** Aug 23 15:33:42 -- slapd[34547]: main: TLS init def ctx failed: -1 *****
    ***** Aug 23 15:33:42 -- slapd[34547]: main: Enabling TLS failed; continuing with TLS disabled. *****
    

     

    Provided there are no errors... you should be good to go. Run some login smoke tests to ensure **** still works.

     

    * Normal warnings and disclosures:

    -- Make sure you have a backup of your opendirectory configs **before** making any changes

    -- Use this at your own risk as your server may be different than ours

    -- -- (it works for us / we've applied this to 3 different servers running El Cap 10.11.6 + Server 5.1.7)

    -- -- Any client applications that try and auth that are incapable of speaking TLS 1.2 will not work

    -- -- It is questionable if a future apple upgrade will either a) just work, b) erase these settings, c) fail to upgrade properly because apple may not support TLS 1.2 in all of their upgrade scripts?  I don't know.   Things to think about.

    -- However, if your goal is to get rid of weak ciphers, I believe this is an acceptable answer.

     

    Hope this helps.

Previous Page 2