Re: question related to EnabledCiphers values

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 3 Jul 2020, at 04:21, Ghiurea, Isabella <Isabella.Ghiurea@xxxxxxxxxxxxxx> wrote:
> 
>  Running the following ldapsearch returns a lots of entries for nsSSLEnabledCiphers, but I do not see this values in dse.ldif , where are this values configured or  read, please advise ?
>  
> nsldapsearch -LLLxD 'cn=directory manager' -W -b cn=encryption,cn=config -s base nsSSL3Ciphers nsSSLSupportedCiphers nsSSLEnabledCiphers
>  



Part of this could also be explained that not *every* config option is set in dse.ldif. The way to think of it is that every possible config value is stored, and compiled into the server as defaults. dse.ldif is your *overrides* to these values.

When you search cn=config you are seeing the compiled config values AND your overlayed content of dse.ldif.

So that's why you see nsSSLEnabledCiphers in cn=config, but NOT in dse.ldif.


The reason - this means that as a project, we can update and ship changes to configuration values (compiled into the server) that improve your server over time. And we really do this, with things like changing from SHA1 to PBKDF2 for password hashes, or changing the TLS ciphers. We do always strive to improve the baseline. It also lets us "back out" changes if something goes wrong too (we have some feature enabling flags in cn=config).

If we wrote every value into dse.ldif first, this is really daunting to new administrators. Second most people will never need to adjust 90% of these values. And third, shipping the values in dse.ldif means that old settings will persist on upgrades. Given the life of a DS server is say ... 3 to 10 years? A lot changes in TLS or our own database performance improvements. Just because you installed 3 years ago doesn't mean you should be held back by that setting. 


So as Mark said - TLS settings also interact with Fedora/RH crypto policy, so it's best to adjust the system wide crypto settings. We default to respecting and following that policy, and it's really what you should be changing in this case.

Hope that helps explain what's going on here. 

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux