Discussion:
[Freeipa-devel] [freeipa PR#737][opened] Vault: Explicitly default to 3DES CBC
tiran
2017-04-26 16:19:49 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Author: tiran
Title: #737: Vault: Explicitly default to 3DES CBC
Action: opened

PR body:
"""
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <***@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/737/head:pr737
git checkout pr737
tiran
2017-04-26 16:22:10 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

tiran commented:
"""
* I haven't verified that the patch actually solves the problem
* Needs backport to at least 4.5
* Either needs backport to 4.4 or 4.4 must required Dogtag < 10.4
"""

See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297465052
pvoborni
2017-04-26 16:35:04 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

pvoborni commented:
"""
Should go to 4.4.5 unless pki-core-10.4.0-1 is removed from f25. Blocking new Dogtag update in 4.4 doesn't seem right to me.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297468723
tiran
2017-04-27 15:29:12 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

tiran commented:
"""
I talked to Matt. Dogtag 10.4 will not be pushed to F25 and F26, only rawhide/F27. Additionally, Ade will also address the bug in Dogtag. The next 10.4 release will have a fix, too.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297749374
pvoborni
2017-04-27 19:35:57 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

Label: +blocker
frasertweedale
2017-04-28 01:56:39 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

Label: +ack
frasertweedale
2017-04-28 01:57:42 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

frasertweedale commented:
"""
Tested; fix makes it work again against Dogtag (where Dogtag does not contain Ade's fix). ACK.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297886621
MartinBasti
2017-04-28 06:25:54 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

MartinBasti commented:
"""
master:

* 5197422ef65e7239fc56c562ab87d99388a38a8d Vault: Explicitly default to 3DES CBC


ipa-4-5:

* e94a1d18653fe2e9558ac0b70bdf2ddd1f78d150 Vault: Explicitly default to 3DES CBC


"""

See the full comment at https://github.com/freeipa/freeipa/pull/737#issuecomment-297917887
MartinBasti
2017-04-28 06:25:59 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

Label: +pushed
MartinBasti
2017-04-28 06:26:02 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/737
Author: tiran
Title: #737: Vault: Explicitly default to 3DES CBC
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/737/head:pr737
git checkout pr737

Loading...