[Freeipa-users] Re: "Invalid IV size (16) for CBC" when retrieving from vaults via RHEL 9 server

It seems to be an interop problem between the server and client. The RHEL 9 server is wrapping the secret with AES but the client is trying to use TripleDES (and only supports 3DES). Upstream ticket https://pagure.io/freeipa/issue/6524 changed from a hardcoded wrapping algorithm to be more flexible but this is apparently not backwards compatible. I'm not deeply familiar with this wrapping code so I don't know if there is a workaround yet. Any chance you can file a RHEL-8 bug against ipa for this while I continue looking? thanks rob