Closed SilleBille closed 5 years ago
Posted by awnuk on 2013-06-07:
Moving to FUTURE milestone due to security issues described in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7
Posted by mharmsen on 2015-03-10:
From duplicate ticket 1298:
When ca.scep.enable is set to 'true', the default SCEP configuration currently
rejects PKCSReq PKIOperation requests which use MD5 or DES, but the server
doesn't respond to GetCACaps requests, so clients have no way of reliably
determining what they should be doing instead.
How reproducible:
Always
Steps to Reproduce:
1. Enable SCEP.
2. curl -v -v -v
'http://$server:9180/ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message=0'
Actual results:
404 error
Expected results:
200 OK, contents based on the ca.scep.allowedEncryptionAlgorithms and
ca.scep.allowedHashAlgorithms settings.
Posted by mharmsen on 2015-03-10:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1198257 (Red Hat Certificate System)
Posted by mharmsen on 2015-03-10:
Per CS/DS Meeting of 03/09/2015: 10.3
Posted by nkinder on 2015-07-29:
Certmonger recently added SCEP support, and it relies on GetCACaps. Without adding this support, certmonger fails with somewhat cryptic error messages. We should add this in 10.3 so certmonger works nicely with Dogtag via SCEP.
Posted by mharmsen on 2016-05-04:
Per Bug Triage of 05/03/2016: 10.4
Posted by tvaughan on 2018-01-11:
Is there going to be any movement on this?
Ideally, this would be something that I could enable if I choose to accept the risk as presented in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7.
I would like to note that for certmonger
, you can make the entire SCEP transaction over HTTPS, so that threat is nullified and, as it currently sits, you have effectively executed the risk in certmonger since it will downgrade to the lowest possible cipher and hash by default and the user cannot override it. See https://pagure.io/certmonger/issue/89 for details.
Posted by mharmsen on 2018-04-13:
Per 10.5.x/10.6 Triage: 10.6
Upgrading SCEP is being proposed for 10.6
Posted by tvaughan on 2018-09-10:
Is this still on the road map for 10.6?
This issue was migrated from pagure ticket 627. Originally filed by awnuk on 2013-05-29
Add SCEP support for GetCACaps - http://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.1