Add SCEP support for GetCACaps - http://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.1
Moving to FUTURE milestone due to security issues described in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7
From duplicate ticket 1298:
When ca.scep.enable is set to 'true', the default SCEP configuration currently rejects PKCSReq PKIOperation requests which use MD5 or DES, but the server doesn't respond to GetCACaps requests, so clients have no way of reliably determining what they should be doing instead.
How reproducible:
Always
Steps to Reproduce:
1. Enable SCEP. 2. curl -v -v -v 'http://$server:9180/ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message=0'
Actual results:
404 error
Expected results:
200 OK, contents based on the ca.scep.allowedEncryptionAlgorithms and ca.scep.allowedHashAlgorithms settings.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1198257 (Red Hat Certificate System)
Per CS/DS Meeting of 03/09/2015: 10.3
Certmonger recently added SCEP support, and it relies on GetCACaps. Without adding this support, certmonger fails with somewhat cryptic error messages. We should add this in 10.3 so certmonger works nicely with Dogtag via SCEP.
Per Bug Triage of 05/03/2016: 10.4
Metadata Update from @awnuk: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: None - Issue set to the milestone: FUTURE (was: UNTRIAGED)
Is there going to be any movement on this?
Ideally, this would be something that I could enable if I choose to accept the risk as presented in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7.
I would like to note that for certmonger, you can make the entire SCEP transaction over HTTPS, so that threat is nullified and, as it currently sits, you have effectively executed the risk in certmonger since it will downgrade to the lowest possible cipher and hash by default and the user cannot override it. See https://pagure.io/certmonger/issue/89 for details.
certmonger
Metadata Update from @mharmsen: - Issue assigned to cfu - Issue set to the milestone: 10.6 (was: FUTURE)
Per 10.5.x/10.6 Triage: 10.6
Upgrading SCEP is being proposed for 10.6
Is this still on the road map for 10.6?
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1197
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.