Currently vault uses 3DES (CKM_DES3_CBC_PAD) for transport encryption. The default should be changed to AES (CKM_AES_CBC_PAD). The algorithm is hard coded and the protocol does contain a protocol indicator. We need to come up with an API to negotiate and select either 3DES for old systems and AES for more recent.
Also see https://fedorahosted.org/pki/ticket/1408
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Depends on Dogtag 10.4
Metadata Update from @pvoborni: - Issue close_status updated to: None - Issue priority set to: 2 (was: 3) - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Will this issue be fixed in FreeIPA 4.7.1? It seems to be around for a long time now. The use of 3DES is a blocker for using FreeIPA Vault until it gets changed to AES. Would be really great if this gets fixed as soon as possible.
The roadmap for 4.7.1 (and beyond) is not set yet.
Also, a protocol and use of 3DES is defined by Dogtag KRA side. Dogtag needs to evolve there first.
Near as I can tell the dogtag side is done. They have a new mechanism for picking the encryption OID but it isn't as simple as flipping DES -> AES in the IPA vault plugin. Coordination will be needed for any further changes needed to the IPA KRA client.
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field changelog adjusted to The vault plugin now uses AES-128-CBC as default wrapping algorithm for the transport of secrets. - Issue set to the milestone: None (was: FreeIPA 4.7.1)
Login to comment on this ticket.