2225222 – Ordering matters for permitted_enctypes

Bug 2225222 - Ordering matters for permitted_enctypes

Summary: Ordering matters for permitted_enctypes

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	crypto-policies
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Alexander Sosedkin
QA Contact:	Ondrej Moriš
Docs Contact:	Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-24 16:09 UTC by Alexander Sosedkin
Modified:	2023-08-09 18:25 UTC (History)
CC List:	1 user (show)
Fixed In Version:	crypto-policies-20230731-1.git94f0e2c.el9
Doc Type:	Enhancement
Doc Text:	When generating `permitted_enctypes` `krb5` configuration option, the order of the values now depend on `mac` crypto-policies values order first, `cipher` values order second, instead of the other way around. This has been done to prioritize the more interoperable encryption types by default. If you're using `krb5`, please verify the order of `permitted_enctypes` values in `/etc/crypto-policies/back-ends/krb5.config` and apply a custom subpolicy if needed.
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gitlab	redhat-crypto fedora-crypto-policies merge_requests 139	None	opened	[RHEL-9] krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones	2023-07-24 17:16:35 UTC
Red Hat Issue Tracker	CRYPTO-11257	None	None	None	2023-07-24 17:01:12 UTC
Red Hat Issue Tracker	RHELPLAN-163171	None	None	None	2023-07-24 16:13:12 UTC
Red Hat Issue Tracker	RHELPLAN-163172	None	None	None	2023-07-24 16:13:17 UTC

Comment 2 Alexander Sosedkin 2023-07-24 17:18:40 UTC

Julien or somebody else from the Kerberos side, could you please review the attached pull-request and doc text?

Comment 3 Julien Rische 2023-07-31 08:12:25 UTC

I approved both these pull requests:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/139
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/140

Note You need to log in before you can comment on or make changes to this bug.