mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
d38dd2680f
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use. Due to bootstrapping process, force explicitly supported encryption types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only in FIPS mode at bootstrap time which then fails to initialize kadmin principals requiring use of AES256-SHA2 and AES128-SHA2. Camellia ciphers must be filtered out in FIPS mode, we do that already in the kerberos.ldif. At this point we are not changing the master key encryption type to AES256-SHA2 because upgrading existing deployments is complicated and at the time when a replica configuration is deployed, we don't know what is the encryption type of the master key of the original server as well. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>