Bug 671277 - pkinit-nss doesn't handle TD-DH-PARAMETERS error data correctly
Summary: pkinit-nss doesn't handle TD-DH-PARAMETERS error data correctly
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pkinit-nss
Version: 5.6
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 689612
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-20 23:17 UTC by Nalin Dahyabhai
Modified: 2015-01-04 23:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-21 21:46:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nalin Dahyabhai 2011-01-20 23:17:57 UTC 
Description of problem:
When the DH parameters offered by the client aren't accepted by the server, the client fails to act properly based on the server-supplied parameters.

Version-Release number of selected component (if applicable):
pkinit-0.7.6-1.el5

How reproducible:
Always

Steps to Reproduce:
1. Configured the KDC to require DH key agreement using primes with a minimum size greater than that of the client's preferred group.
2. kinit
  
Actual results:
Client retries with the original set of parameters.

Expected results:
Client retries with one of the sets of parameters supplied by the KDC.

Additional info:
Hopefully this won't require changes to the preauth plugin backport.  The client can be configured to work around this, but it's a bug all the same.
Comment 1 Nalin Dahyabhai 2011-03-21 21:46:23 UTC 
Upon further testing, it appears to be handling the error data just fine.  Errors encountered when the server was configured to require 4096 bits failed due to a hard-coded limit in NSS (filed as bug #689612).
Note You need to log in before you can comment on or make changes to this bug.