2 files changed, 9 insertions, 1 deletions

diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index 0891acd68..7f0384658 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -389,9 +389,14 @@ class CryptographyCryptoProvider(CryptoProvider):
             self.encrypt_mode = modes.CBC
             self.encrypt_size = 128
         elif level == 0:
+            # note that 3DES keys are actually 192 bits long, even
+            # though only 168 bits are used internally.  See
+            # https://tools.ietf.org/html/rfc4949
+            # Using 168 here will cause python-cryptography key verification
+            # checks to fail.
             self.encrypt_alg = algorithms.TripleDES
             self.encrypt_mode = modes.CBC
-            self.encrypt_size = 168
+            self.encrypt_size = 192
 
     def generate_nonce_iv(self, mechanism='AES'):
         """ Create a random initialization vector """
diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
index 9313b0e59..d2b82970e 100644
--- a/base/common/python/pki/key.py
+++ b/base/common/python/pki/key.py
@@ -28,6 +28,7 @@ from __future__ import print_function
 import base64
 import json
 import os
+import warnings
 
 from six import iteritems
 from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
@@ -853,6 +854,8 @@ class KeyClient(object):
             # legacy apps like IPA call this directly without
             # setting the algorithm_oid.  We need to keep DES
             # for backward compatibility
+            warnings.warn("algorithm_oid=None is deprecated",
+                          DeprecationWarning)
             algorithm_oid = pki.crypto.DES_EDE3_CBC_OID
 
         if not nonce_iv: