Hi Grant,
I think that you are absolutely right here:
I suspect that the "Please disable encryption" is misleading
as according to the code, the only way not to initialize the
attribute encryption keys is to fully disable the security.
So removing the attribute encryption key entry is probably the only thing
to do. (possible because no encrypted attributes are configured)
That said there is another point that could cause problems with cert
renewal: the replication agreement credential is also using
symmetrical encryption so you may have to replace their passwords.
Regards
Pierre
On Fri, Nov 26, 2021 at 2:35 AM Grant Byers <[email protected]>
wrote:
> Hi all,
>
>
> Is there a way to either permanently disable attribute encryption, or to
> have the symmetric keys generated from an alternate RSA private key to that
> used for
> TLS (given by cn=RSA,cn=encryption,cn=config)? I may be missing something,
> but this seems to be completely tied to TLS.
>
>
> We don't use attribute encryption at all presently, and the process we use
> for rolling certtificates is basically a re-key. This results in the
> following error
> messages;
>
>
> [25/Nov/2021:06:32:33.562508644 +0000] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher AES
> [25/Nov/2021:06:32:33.564813203 +0000] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have been
> renewed since
> the key is wrapped. To recover the encrypted contents, keep the wrapped
> symmetric key value.
> [25/Nov/2021:06:32:33.931422579 +0000] - ERR - attrcrypt_unwrap_key -
> Failed to unwrap key for cipher 3DES
> [25/Nov/2021:06:32:33.935241033 +0000] - ERR - attrcrypt_cipher_init -
> Symmetric key failed to unwrap with the private key; Cert might have been
> renewed since
> the key is wrapped. To recover the encrypted contents, keep the wrapped
> symmetric key value.
> [25/Nov/2021:06:32:33.937228742 +0000] - ERR - attrcrypt_init - All
> prepared ciphers are not available. Please disable attribute encryption.
>
>
> I realise we could delete the encrypted attribute keys entries as part of
> our renewal process & have them regenerated, but that seems pretty hackish.
> The
> message implies attribute encryption can be disabled ("Please disable
> attribute encryption."), yet the only way I see to do this is to disable
> TLS via nsslapd-
> security. Can someone confirm?
>
>
> Thanks,
> Grant
>
> _______________________________________________
> 389-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
