Configure 389ds with "default" cipher suite

nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

2 files changed, 5 insertions, 5 deletions

diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update
index b0c952f49..978a44ba4 100644
--- a/install/updates/20-sslciphers.update
+++ b/install/updates/20-sslciphers.update
@@ -1,6 +1,6 @@
 # change configured ciphers
-# the result of this update will be that all ciphers
-# provided by NSS which ar not weak will be enabled
+# the result of this update will be that default ciphers
+# provided by DS which are not weak will be enabled
 dn: cn=encryption,cn=config
-only:nsSSL3Ciphers: +all
+only:nsSSL3Ciphers: default
 addifnew:allowWeakCipher: off
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 0c54b01da..741dda91f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -777,7 +777,7 @@ class DsInstance(service.Service):
         conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password)
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)
 
@@ -1240,7 +1240,7 @@ class DsInstance(service.Service):
         conn.do_external_bind('root')
 
         mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"),
-               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"),
+               (ldap.MOD_REPLACE, "nsSSL3Ciphers", "default"),
                (ldap.MOD_REPLACE, "allowWeakCipher", "off")]
         conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod)