Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault: Explicitly default to 3DES CBC #737

Closed
wants to merge 1 commit into from
Closed

Vault: Explicitly default to 3DES CBC #737

wants to merge 1 commit into from

Conversation

tiran
Copy link
Member

@tiran tiran commented Apr 26, 2017
edited by MartinBasti

The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes cheimes@redhat.com

@tiran
Vault: Explicitly default to 3DES CBC
5e764de 
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
@tiran
Copy link
Member Author

tiran commented Apr 26, 2017

  • I haven't verified that the patch actually solves the problem
  • Needs backport to at least 4.5
  • Either needs backport to 4.4 or 4.4 must required Dogtag < 10.4

@pvoborni
Copy link
Member

Should go to 4.4.5 unless pki-core-10.4.0-1 is removed from f25. Blocking new Dogtag update in 4.4 doesn't seem right to me.

@tiran
Copy link
Member Author

tiran commented Apr 27, 2017

I talked to Matt. Dogtag 10.4 will not be pushed to F25 and F26, only rawhide/F27. Additionally, Ade will also address the bug in Dogtag. The next 10.4 release will have a fix, too.

@pvoborni pvoborni added the prioritized Pull Request has higher priority for PR-CI label Apr 27, 2017
@frasertweedale frasertweedale added the ack Pull Request approved, can be merged label Apr 28, 2017
@frasertweedale
Copy link
Contributor

Tested; fix makes it work again against Dogtag (where Dogtag does not contain Ade's fix). ACK.

@MartinBasti
Copy link
Contributor

master:

  • 5197422 Vault: Explicitly default to 3DES CBC

ipa-4-5:

  • e94a1d1 Vault: Explicitly default to 3DES CBC

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Apr 28, 2017
@tiran tiran deleted the vault_default_3des branch May 2, 2017 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged prioritized Pull Request has higher priority for PR-CI pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
4 participants
@tiran @pvoborni @frasertweedale @MartinBasti