Add SCEP support for GetCACaps

SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site

https://pagure.io/dogtagpki/issues

GNU General Public License v2.0

1 stars 1 forks source link

Add SCEP support for GetCACaps #156

Closed SilleBille closed 5 years ago

SilleBille commented 5 years ago

This issue was migrated from Pagure Issue #627. Originally filed by awnuk on 2013-05-29

Add SCEP support for GetCACaps - http://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.1

SilleBille commented 5 years ago

Posted by awnuk on 2013-06-07:

Moving to FUTURE milestone due to security issues described in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7

SilleBille commented 5 years ago

Posted by mharmsen on 2015-03-10:

From duplicate ticket 1298:

When ca.scep.enable is set to 'true', the default SCEP configuration currently
rejects PKCSReq PKIOperation requests which use MD5 or DES, but the server
doesn't respond to GetCACaps requests, so clients have no way of reliably
determining what they should be doing instead.

How reproducible:

Always

Steps to Reproduce:

1. Enable SCEP.
2. curl -v -v -v
'http://$server:9180/ca/cgi-bin/pkiclient.exe?operation=GetCACaps&message=0'

Actual results:

404 error

Expected results:

200 OK, contents based on the ca.scep.allowedEncryptionAlgorithms and
ca.scep.allowedHashAlgorithms settings.

SilleBille commented 5 years ago

Posted by mharmsen on 2015-03-10:

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1198257 (Red Hat Certificate System)

SilleBille commented 5 years ago

Posted by mharmsen on 2015-03-10:

Per CS/DS Meeting of 03/09/2015: 10.3

SilleBille commented 5 years ago

Posted by nkinder on 2015-07-29:

Certmonger recently added SCEP support, and it relies on GetCACaps. Without adding this support, certmonger fails with somewhat cryptic error messages. We should add this in 10.3 so certmonger works nicely with Dogtag via SCEP.

SilleBille commented 5 years ago

Posted by mharmsen on 2016-05-04:

Per Bug Triage of 05/03/2016: 10.4

SilleBille commented 5 years ago

Posted by tvaughan on 2018-01-11:

Is there going to be any movement on this?

Ideally, this would be something that I could enable if I choose to accept the risk as presented in http://tools.ietf.org/html/draft-nourse-scep-23#section-8.7.

I would like to note that for certmonger, you can make the entire SCEP transaction over HTTPS, so that threat is nullified and, as it currently sits, you have effectively executed the risk in certmonger since it will downgrade to the lowest possible cipher and hash by default and the user cannot override it. See https://pagure.io/certmonger/issue/89 for details.

SilleBille commented 5 years ago

Posted by mharmsen on 2018-04-13:

Per 10.5.x/10.6 Triage: 10.6

Upgrading SCEP is being proposed for 10.6

SilleBille commented 5 years ago

Posted by tvaughan on 2018-09-10:

Is this still on the road map for 10.6?