directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Bersenev (JIRA)" <>
Subject [jira] [Created] (DIRSERVER-2068) Failed to decrypt a timestamp if it was encrypted with non-best-fit algo
Date Tue, 02 Jun 2015 20:00:49 GMT
Alexander Bersenev created DIRSERVER-2068:

             Summary: Failed to decrypt a timestamp if it was encrypted with non-best-fit
                 Key: DIRSERVER-2068
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: core
    Affects Versions: 2.0.0-M20
            Reporter: Alexander Bersenev
             Fix For: 2.0.0-M21

Suppose the client supports two encryption suites:
default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd

Server also supports three encryption suites: 
des-cbc-md5, des3-cbc-sha1-kd and aes128-cts-hmac-sha1-96

The client send as-req with list of supported ciphers. Server answers the client with three

The client chooses des-cbc-md5 and sends as-req with encrypted timestamp.

The bug is here. The server can try to decrypt timestamp with wrong algo(des3-cbc-sha1-kd).
This occurs because of function 

getBestEncryptionType( Set<EncryptionType> requestedTypes,        Set<EncryptionType>
configuredTypes )

returns some encryption type that both client and server support. It not necessary the cipher
that was used to encrypt the timestamp.

Attached patch does decryption of timestamp always with cipher it was encrypted(if the server
is configured to support that cipher)

This message was sent by Atlassian JIRA

View raw message