freeipa/ipaclient/plugins
Francisco Trivino 93548f2569 Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
..
__init__.py ipaclient: introduce ipaclient.plugins 2016-06-03 09:00:34 +02:00
automember.py Fix Pylint 2.0 violations 2018-07-14 12:04:19 +02:00
automount.py pylint: Fix consider-using-dict-items 2022-03-11 13:37:08 -05:00
ca.py Handle missing LWCA certificate or chain 2019-06-18 10:36:24 +10:00
cert.py Remove support for csrgen 2021-01-21 13:51:45 +01:00
certmap.py Load certificate files as binary data 2018-04-30 20:42:00 +02:00
certprofile.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
dns.py Fix translation of commands description in API Browser 2018-06-12 08:38:56 +02:00
hbacrule.py ipalib: split off client-side plugin code into ipaclient 2016-06-03 09:00:34 +02:00
hbactest.py Fix ipa hbactest output 2016-08-04 17:13:16 +02:00
host.py x509: Make certificates represented as objects 2017-07-27 10:28:58 +02:00
idrange.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
internal.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
location.py Remove unused variables in the code 2016-09-27 13:35:58 +02:00
migration.py Fix pylint warnings inconsistent-return-statements 2017-12-18 11:51:14 +01:00
misc.py Make env and plugins commands local again 2016-12-02 13:00:06 +01:00
otptoken_yubikey.py pylint: Skip unused-private-member for property case 2022-03-11 13:37:08 -05:00
otptoken.py ipa otptoken-sync: return error when sync fails 2022-09-29 07:58:44 -04:00
passwd.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
permission.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
rpcclient.py pylint 2.2: Fix unnecessary pass statement 2018-11-26 16:54:43 +01:00
server.py Handled empty hostname in server-del command 2016-08-24 15:50:25 +02:00
service.py x509: Make certificates represented as objects 2017-07-27 10:28:58 +02:00
sudorule.py Improve sudooption docs, make the option multi-value 2021-10-08 10:47:58 +02:00
topology.py topology.py: Removes error message from dictionary. 2017-07-14 09:23:17 +02:00
trust.py client: ignore override errors in command overrides 2016-06-30 16:32:20 +02:00
user.py x509: Make certificates represented as objects 2017-07-27 10:28:58 +02:00
vault.py Vault: fix interoperability issues with older RHEL systems 2022-11-21 10:41:10 -05:00