directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny (Jira) <>
Subject [jira] [Updated] (DIRSERVER-2068) Failed to decrypt a timestamp if it was encrypted with non-best-fit algo
Date Thu, 19 Mar 2020 18:36:01 GMT


Emmanuel L├ęcharny updated DIRSERVER-2068:
    Fix Version/s:     (was: 2.0.0.AM26)

> Failed to decrypt a timestamp if it was encrypted with non-best-fit algo
> ------------------------------------------------------------------------
>                 Key: DIRSERVER-2068
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.0-M20
>            Reporter: Alexander Bersenev
>            Priority: Major
>             Fix For: 2.0.0.AM27
>         Attachments: preauth.patch
> Suppose the client supports two encryption suites:
> default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd
> Server also supports three encryption suites: 
> des-cbc-md5, des3-cbc-sha1-kd and aes128-cts-hmac-sha1-96
> The client send as-req with list of supported ciphers. Server answers the client with
three ciphers.
> The client chooses des-cbc-md5 and sends as-req with encrypted timestamp.
> The bug is here. The server can try to decrypt timestamp with wrong algo(des3-cbc-sha1-kd).
This occurs because of function 
> getBestEncryptionType( Set<EncryptionType> requestedTypes,        Set<EncryptionType>
configuredTypes )
> returns some encryption type that both client and server support. It not necessary the
cipher that was used to encrypt the timestamp.
> Attached patch does decryption of timestamp always with cipher it was encrypted(if the
server is configured to support that cipher)

This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message