freeipa

Clone
Source Code
GIT

#9259 vault interoperability with older RHEL systems is broken
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by ftrivino.

Closed: fixed
Reopen Issue

Issue

AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.

This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

Steps to Reproduce

  1. spawn a topology with a rhel7.9 server, and a rhel8.7 client
  2. add a vault from the client: "ipa vault-add vault"

Actual behavior

Client fails with: "ipa: ERROR: an internal error has occurred", for other combinations you could see: "ipa: ERROR: Unknown option: wrapping_algo"

Without FIPS:

oldServer + newReplica + newClient

client fails with: "ipa: ERROR: Unknown option: wrapping_algo"
replica works
master works
newServer + oldClient:
client fails with: "ipa: ERROR: an internal error has occurred"
server works

with FIPS:

oldServer + newReplica + newClient:

client fails with: "ipa: ERROR: Unknown option: wrapping_algo"
replica works
master works
newServer + oldClient:
client fails with: "ipa: ERROR: an internal error has occurred"
server works

where old is RHEL7 and new is RHEL8

Expected behavior

ipa vaults work when running in mixed topologies.

Additional info:

The new wrapping algo implementation:

40c362e
"Support AES for KRA archival wrapping"

introduced a new option "--wrapping-algorithm" for "ipa vault-[retrieve/archive]" that is supposed to be internal only, actually it doesn't work. It should be hidden.

a rhel8.7 client

Is this caused by the fix in (the ipa shipped in) RHEL 8.7 for retrieving vaults from RHEL 9 servers where AES-128-CBC is used?

That being the case does this apply to RHEL 9 clients retrieving secrets from RHEL 8/7 servers?

Thanks :)

hi yrro, this issue applies to interoperability with old RHEL systems, rhel7 with rhel8/9.

Is there a RHEL bugzilla tracking bug for this yet? Thanks.

master:

  • 93548f2 Vault: fix interoperability issues with older RHEL systems

ipa-4-10:

  • ba96263 Vault: fix interoperability issues with older RHEL systems

ipa-4-9:

  • c643e56 Vault: fix interoperability issues with older RHEL systems

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2144737
2 years ago

Issue linked to bug 2144737

Issue linked to bug 2144736

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2144737, https://bugzilla.redhat.com/show_bug.cgi?id=2144736 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2144737)
2 years ago

master:

  • 35876b4 API reference: update vault doc

ipa-4-10:

  • 42957f9 API reference: update vault doc

ipa-4-9:

  • 4d6eabd API reference: update vault doc

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.