mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
fd7f4a7411
The Custodia key export handler is using the default's OpenSSL encryption scheme for PKCS#12. This represents an issue when performing a migration from CentOS Stream 8 (C8S) to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S replica talks to the Custodia server on C8S source server. The later creates an encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's default encryption scheme, which is no longer supported on C9S. This commit enforces a stronger encryption algorigthm by adding following arguments to the Custodia server handler: -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. Fixes: https://pagure.io/freeipa/issue/9101 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> |
||
|---|---|---|
| .. | ||
| advise | ||
| custodia | ||
| dnssec | ||
| install | ||
| plugins | ||
| secrets | ||
| __init__.py | ||
| dcerpc_common.py | ||
| dcerpc.py | ||
| dns_data_management.py | ||
| Makefile.am | ||
| masters.py | ||
| p11helper.py | ||
| rpcserver.py | ||
| servroles.py | ||
| setup.cfg | ||
| setup.py | ||
| topology.py | ||
| wsgi.py | ||