mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
93548f2569
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets. This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but setting AES as default ended-up breaking backwards compatibility with older RHEL systems. This commit is tuning some defaults so that interoperability with older RHEL systems works again. The new logic reflects: - when an old client is calling a new server, it doesn't send any value for wrapping_algo and the old value is used (3DES), so that the client can decrypt using 3DES. - when a new client is calling a new server, it sends wrapping_algo = AES128_CBC - when a new client is calling an old server, it doesn't send any value and the default is to use 3DES. Finally, as this logic is able to handle overlapping wrapping algorithm between server and client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa vault-retrieve --help" commands. Fixes: https://pagure.io/freeipa/issue/9259 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
__init__.py | ||
automember.py | ||
automount.py | ||
ca.py | ||
cert.py | ||
certmap.py | ||
certprofile.py | ||
dns.py | ||
hbacrule.py | ||
hbactest.py | ||
host.py | ||
idrange.py | ||
internal.py | ||
location.py | ||
migration.py | ||
misc.py | ||
otptoken_yubikey.py | ||
otptoken.py | ||
passwd.py | ||
permission.py | ||
rpcclient.py | ||
server.py | ||
service.py | ||
sudorule.py | ||
topology.py | ||
trust.py | ||
user.py | ||
vault.py |