Did a little bit more digging, After restart ~~~~~~~~~~~~~ nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_3des_sha,-fortezza_null,-rsa_null_md5,-fo rtezza,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,+fortezza_rc4_128_sha,-t ls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha audit log ~~~~~~~~~ replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,-rsa_rc4_40_md5, -fips_des_sha,+fips_3des_sha,-rsa_des_sha,-rsa_null_md5 Original ~~~~~~~~ nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+f ortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_ rsa_export1024_with_des_cbc_sha >From this I would conclude that the UI is doing its own thing... there is a lot of other changes that get applied as well when you make cipher changes in the UI. This would seem unnecessary at best and potentially problematic at worst. Regards > -----Original Message----- > From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users- > bounces at lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis > Sent: 03 March 2011 10:07 > To: General discussion list for the 389 Directory server project. (389- > users at lists.fedoraproject.org) > Subject: Ciphers persistant after restart > > Hi > Unfortunately I am stuck with a slightly older version of 389 at the moment > so if this is fixed in a later version then great otherwise I include the details > to try an reproduce. > > Versions: > 389-admin-1.1.11-1.el5 > 389-admin-console-1.1.5-1.el5 > 389-admin-console-doc-1.1.5-1.el5 > 389-adminutil-1.1.8-4.el5 > 389-console-1.1.4-1.el5 > 389-ds-1.2.1-1.el5 > 389-ds-base-1.2.6.1-2.el5 > 389-ds-console-1.2.3-1.el5 > 389-ds-console-doc-1.2.3-1.el5 > 389-dsgw-1.1.5-1.el5 > > Problem: > Open admin console > Select Encryption tab and then click on settings button. > Select TLS tab and remove( uncheck) all ciphers below 128bits level Click Ok, > and save Exit admin console Restart admin server > > Log into admin console again. > The unchecked ciphers removed a moment ago is checked again... > > Monitoring the audit log does show that changes are being made, I need to > go through it with a fine tooth comb though. > > Any thoughts on why this is happening, a bug a feature to protect against > dumb users maybe? > > Regards > > > ___________________________________________________________________ > _____ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ___________________________________________________________________ > _____ > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
