#627 Add SCEP support for GetCACaps
Closed: migrated 3 years ago by dmoluguw. Opened 11 years ago by awnuk.


Moving to FUTURE milestone due to security issues described in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7

From duplicate ticket 1298:

When ca.scep.enable is set to 'true', the default SCEP configuration currently
rejects PKCSReq PKIOperation requests which use MD5 or DES, but the server
doesn't respond to GetCACaps requests, so clients have no way of reliably
determining what they should be doing instead.

How reproducible:

Always

Steps to Reproduce:

1. Enable SCEP.
2. curl -v -v -v
'http://$server:9180/ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message=0'

Actual results:

404 error

Expected results:

200 OK, contents based on the ca.scep.allowedEncryptionAlgorithms and
ca.scep.allowedHashAlgorithms settings.

Per CS/DS Meeting of 03/09/2015: 10.3

Certmonger recently added SCEP support, and it relies on GetCACaps. Without adding this support, certmonger fails with somewhat cryptic error messages. We should add this in 10.3 so certmonger works nicely with Dogtag via SCEP.

Per Bug Triage of 05/03/2016: 10.4

Metadata Update from @awnuk:
- Issue set to the milestone: UNTRIAGED

7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field version adjusted to None
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: UNTRIAGED)

7 years ago

Is there going to be any movement on this?

Ideally, this would be something that I could enable if I choose to accept the risk as presented in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7.

I would like to note that for certmonger, you can make the entire SCEP transaction over HTTPS, so that threat is nullified and, as it currently sits, you have effectively executed the risk in certmonger since it will downgrade to the lowest possible cipher and hash by default and the user cannot override it. See https://pagure.io/certmonger/issue/89 for details.

Metadata Update from @mharmsen:
- Issue assigned to cfu
- Issue set to the milestone: 10.6 (was: FUTURE)

6 years ago

Per 10.5.x/10.6 Triage: 10.6

Upgrading SCEP is being proposed for 10.6

Is this still on the road map for 10.6?

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1197

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Log in to comment on this ticket.

Metadata