TPS is a server to smart card tokens and clients, but it is also a client to the other CS subsystems (CA, DRM, TKS). When in the ECC environment, TPS currently does not have the ciphers nor does it do the correct public key encoding. We need to make sure it does those things before it can talk to any of those servers.
investigation shows that the misleading NSS error: SEC_ERROR_INVALID_ALGORITHM (-8186) was actually caused by NSS token not logged in at startup. And the reason why it was not logged in was because the password was somehow not stored in the password.conf for some reason.
As for ECC ciphers, as it turns out, I have put in the ECC ciphers in this area last round (though most likely untested). The ciphers still need to be tidied up regardless, because it contains unsupported ciphers as well (they were clearly not cleaned up last round). The public key decryption flag was passed in correctly.
The bug will remain to capture the cipher clean up effort.
cipher list now match what other servers support tps_httpClientCiphers.diff
Note: As stated in the Description. Most of the ciphers were already added. This patch match the ciphers to that of the other CS servers and were tested and verified with ssltap.
RHCS81 ECC Errata checkin:
httpClient]$ svn commit engine.cpp Sending engine.cpp Transmitting file data . Committed revision 2470.
RHCS 8.2 checkin
httpClient]$ svn commit Sending httpClient/engine.cpp Transmitting file data . Committed revision 2471.
DOGTAG_9_BRANCH checkin
[cfu@glyph pki]$ git push Counting objects: 13, done. Delta compression using up to 2 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 798 bytes, done. Total 7 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git e00930c..b0476b9 DOGTAG_9_BRANCH -> DOGTAG_9_BRANCH
master checkin
httpClient]$ git push Counting objects: 13, done. Delta compression using up to 2 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 798 bytes, done. Total 7 (delta 6), reused 0 (delta 0) To ssh://cfu@git.fedorahosted.org/git/pki.git a7c3ff6..358fdea master -> master
Metadata Update from @nkinder: - Issue assigned to cfu - Issue set to the milestone: ECC Effort
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/812
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.