freeipa

Clone
Source Code
GIT

c643e56 Vault: fix interoperability issues with older RHEL systems

4 files Authored by ftrivino a year ago, Committed by frenaud a year ago,
raw patch tree parent
4 files changed. 10 lines added. 9 lines removed.
API.txt
file modified
+2 -2
VERSION.m4
file modified
+2 -2
ipaclient/plugins/vault.py
file modified
+4 -3
ipaserver/plugins/vault.py
file modified
+2 -2 
    Vault: fix interoperability issues with older RHEL systems
    
    AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
    This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
    setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
    
    This commit is tuning some defaults so that interoperability with older RHEL systems
    works again. The new logic reflects:
    
    - when an old client is calling a new server, it doesn't send any value for wrapping_algo
      and the old value is used (3DES), so that the client can decrypt using 3DES.
    
    - when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
    
    - when a new client is calling an old server, it doesn't send any value and the default is
      to use 3DES.
    
    Finally, as this logic is able to handle overlapping wrapping algorithm between server and
    client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
    vault-retrieve --help" commands.
    
    Fixes: https://pagure.io/freeipa/issue/9259
    Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+2 -2
file modified
+2 -2
file modified
+4 -3
file modified
+2 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.