TPS ECC: when TPS server acts as an ECC SSL client to CA, TKS, or DRM, it needs to support ECC ciphers and proper public key encoding

[pki-bot]

This issue was migrated from Pagure Issue #241. Originally filed by nkinder (@nkinder) on 2012-07-20 00:09:24:

• Closed as Fixed
• Assigned to cfu (@cfu)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=826787

---

TPS is a server to smart card tokens and clients, but it is also a client to the other CS subsystems (CA, DRM, TKS). When in the ECC environment, TPS currently does not have the ciphers nor does it do the correct public key encoding.
We need to make sure it does those things before it can talk to any of those servers.

investigation shows that the misleading NSS error: SEC_ERROR_INVALID_ALGORITHM (-8186) was actually caused by NSS token not logged in at startup. And the reason why it was not logged in was because the password was somehow not stored in the password.conf for some reason.

As for ECC ciphers, as it turns out, I have put in the ECC ciphers in this area last round (though most likely untested). The ciphers still need to be tidied up regardless, because it contains unsupported ciphers as well (they were clearly not cleaned up last round). The public key decryption flag was passed in correctly.

The bug will remain to capture the cipher clean up effort.

[pki-bot]

Comment from cfu (@cfu) at 2012-08-15 07:53:28

cipher list now match what other servers support
tps_httpClientCiphers.diff

[pki-bot]

Comment from cfu (@cfu) at 2012-08-15 07:55:20

Note: As stated in the Description. Most of the ciphers were already added. This patch match the ciphers to that of the other CS servers and were tested and verified with ssltap.

[pki-bot]

Comment from cfu (@cfu) at 2012-08-23 23:00:19

RHCS81 ECC Errata checkin:

httpClient]$ svn commit engine.cpp
Sending engine.cpp
Transmitting file data .
Committed revision 2470.

[pki-bot]

Comment from cfu (@cfu) at 2012-08-23 23:02:40

RHCS 8.2 checkin

httpClient]$ svn commit
Sending httpClient/engine.cpp
Transmitting file data .
Committed revision 2471.

[pki-bot]

Comment from cfu (@cfu) at 2012-08-24 00:40:12

DOGTAG_9_BRANCH checkin

[cfu@glyph pki]$ git push
Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 798 bytes, done.
Total 7 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
e00930c..b0476b9 DOGTAG_9_BRANCH -> DOGTAG_9_BRANCH

[pki-bot]

Comment from cfu (@cfu) at 2012-08-24 00:49:37

master checkin

httpClient]$ git push
Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 798 bytes, done.
Total 7 (delta 6), reused 0 (delta 0)
To ssh://cfu@git.fedorahosted.org/git/pki.git
a7c3ff6..358fdea master -> master

[pki-bot]

Comment from nkinder (@nkinder) at 2017-02-27 14:09:34

Metadata Update from @nkinder:

• Issue assigned to cfu
• Issue set to the milestone: ECC Effort