Bug 2225222 - Ordering matters for permitted_enctypes
Summary: Ordering matters for permitted_enctypes
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: crypto-policies
Version: 9.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Alexander Sosedkin
QA Contact: Ondrej Moriš
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-24 16:09 UTC by Alexander Sosedkin
Modified: 2023-08-09 18:25 UTC (History)
1 user (show)

Fixed In Version: crypto-policies-20230731-1.git94f0e2c.el9
Doc Type: Enhancement
Doc Text:
When generating `permitted_enctypes` `krb5` configuration option, the order of the values now depend on `mac` crypto-policies values order first, `cipher` values order second, instead of the other way around. This has been done to prioritize the more interoperable encryption types by default. If you're using `krb5`, please verify the order of `permitted_enctypes` values in `/etc/crypto-policies/back-ends/krb5.config` and apply a custom subpolicy if needed.
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat-crypto fedora-crypto-policies merge_requests 139 0 None opened [RHEL-9] krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones 2023-07-24 17:16:35 UTC
Red Hat Issue Tracker CRYPTO-11257 0 None None None 2023-07-24 17:01:12 UTC
Red Hat Issue Tracker RHELPLAN-163171 0 None None None 2023-07-24 16:13:12 UTC
Red Hat Issue Tracker RHELPLAN-163172 0 None None None 2023-07-24 16:13:17 UTC

Comment 2 Alexander Sosedkin 2023-07-24 17:18:40 UTC
Julien or somebody else from the Kerberos side, could you please review the attached pull-request and doc text?


Note You need to log in before you can comment on or make changes to this bug.