[openssl-users] Hardware client certificates moving to Centos 7

Stuart Marsden stuart at myphones.com
Wed Sep 27 12:07:46 UTC 2017 

Hi

I think I know what you are going to say - MD5?

I ran openssl s_server -verify , then ran the x509 command as you suggested using the captured client certificate

This phone model has only just gone into production,  and I am using a "preview version" of the hardware

Is there a way a can install  a version of openssl on a dedicated standalone Centos 7 server which will support these phones?

That would be preferable to me than having to leave Centos 6 servers just for this

Thanks everyone for your help sofar 

Stuart


openssl x509 -noout -text -in yealink.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            30:30:31:35:36:35:63:38:62:65:36:66
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network Technology Co.,Ltd., OU=yealink.com, CN=Yealink Equipment Issuing CA/emailAddress=support at yealink.com
        Validity
            Not Before: Mar  1 00:00:00 2014 GMT
            Not After : Feb 24 00:00:00 2034 GMT
        Subject: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network Technology Co.,Ltd., OU=Yealink Equipment, CN=001565c8be6f/emailAddress=support at yealink.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e9:22:52:1a:47:bf:06:4d:2e:86:4f:61:5e:f8:
                    70:47:7f:c7:7d:4d:1e:b7:9f:0d:38:d2:79:8e:e9:
                    47:88:f3:f1:dd:75:d0:b3:d7:72:da:aa:e8:72:12:
                    7e:67:5c:c1:63:f3:6e:54:48:f7:46:a8:1c:fe:6a:
                    96:13:87:31:68:bb:89:98:b5:45:8d:c2:ef:24:a0:
                    47:7c:bf:20:d6:88:6b:95:4b:3a:f4:90:ec:a1:b2:
                    8a:4e:f9:2a:01:02:ba:f9:7f:52:b7:5f:71:18:d4:
                    40:74:56:75:94:e1:2e:ed:87:69:5a:33:ca:51:45:
                    06:ce:5e:5d:f1:ff:c1:5f:2f
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
         74:a9:f7:02:52:51:86:c9:09:15:c9:2e:32:1b:29:81:b6:d0:
         a9:7a:88:61:5a:fe:22:3e:6d:68:e3:71:64:e2:12:1f:5a:0e:
         35:54:19:b8:4a:e5:a1:70:27:0f:3b:99:ae:db:d1:bc:77:39:
         22:0a:4d:71:a9:08:ca:c4:e0:28:a6:a0:e4:bc:9d:56:c1:ad:
         49:4b:5c:70:b2:a7:e8:64:ef:fa:fa:c0:1c:89:92:63:c5:67:
         55:ab:d9:65:57:4b:a8:6e:59:a6:d3:4b:ff:9b:27:8b:0e:ea:
         ac:71:de:6c:5d:97:c7:78:17:40:4b:03:79:81:1b:02:31:6c:
         fa:01:4a:c2:e2:c2:d6:14:4c:ff:9a:1c:41:ed:14:c2:eb:b4:
         f5:1b:db:06:d7:1f:e3:bc:69:d0:f7:d6:8e:13:db:7b:f1:15:
         5c:11:b9:18:56:6b:d3:0f:96:20:99:a3:19:01:83:9a:f2:65:
         4d:7d:6b:41:92:d2:d1:4d:40:74:b7:8b:a8:54:ba:bf:b0:04:
         0e:a0:45:5b:62:c1:0e:7b:48:7d:c8:96:62:99:50:e7:44:b1:
         8a:01:e0:ec:b7:42:6c:3d:52:16:70:3b:0f:e6:e3:31:8b:31:
         ee:62:fd:fd:3c:94:90:04:05:99:7b:b2:c0:41:8f:92:05:db:
         46:a6:2d:ed:ba:e5:70:61:45:52:a4:f0:97:54:cf:75:9d:8b:
         f9:89:f2:01:0e:7f:f7:b6:1f:1c:03:56:a6:cc:d0:00:99:b9:
         f1:e3:6b:18:d5:69:46:38:a3:23:ba:f3:76:08:ff:02:bc:15:
         df:91:67:6e:94:62:35:34:a2:fa:d3:33:01:da:00:b6:07:4c:
         89:7e:f3:98:dc:81:e5:0f:4a:19:ea:fe:91:02:3a:9d:22:25:
         a9:38:f8:2f:91:ca:09:e1:6c:12:b2:68:a6:a2:af:8b:41:f7:
         61:e5:40:2f:98:60:18:10:90:af:55:50:8a:31:2d:17:82:d2:
         13:cf:27:5b:fa:c8:ee:74:e1:98:00:26:56:24:68:38:b4:e3:
         21:ee:3c:8b:16:32:72:93:fc:3b:0f:13:9a:b1:97:e8:6e:ca:
         33:00:ee:7b:30:7c:e2:e7:14:99:a0:5f:f1:f9:95:1f:fc:5c:
         17:79:33:2a:f1:fd:89:6e:50:d8:d7:8d:05:95:3f:11:72:c7:
         69:e8:0f:4c:82:7b:9d:26:86:04:60:b2:3b:24:76:4a:34:c6:
         87:ef:e6:e7:8b:53:98:de:f4:cc:d8:39:b2:2d:ea:09:a4:80:
         f3:c2:d7:bd:6f:7b:7d:4c:35:b2:23:ca:56:fc:5b:6d:08:05:
         6b:11:bd:c6:4b:92:4f:46


> On 27 Sep 2017, at 01:04, Kyle Hamilton <aerowolf at gmail.com> wrote:
> 
> openssl x509 -noout -text -in clientcertificate.pem
> 
> You may need to extract the client certificate from wireshark, but you
> could also get it from openssl s_server.
> 
> Specifically, that error message is suggesting that there's a message
> digest encoded into the certificate which is unknown to the trust
> path.
> 
> Chances are, it's probably MD5.  MD5 was broken a long time ago, and
> is no longer trustworthy.  (SHA1 is also a possibility, but it was
> made unacceptable a lot more recently.)
> 
> -Kyle H
> 
> 
> On Tue, Sep 26, 2017 at 8:56 AM, Stuart Marsden <stuart at myphones.com> wrote:
>> Sorry how can I tell ?
>> 
>> I can run a wireshark if necessary
>> 
>> thanks
>> 
>> 
>>> On 26 Sep 2017, at 16:36, Wouter Verhelst <wouter.verhelst at fedict.be> wrote:
>>> 
>>> On 26-09-17 17:26, Stuart Marsden wrote:
>>>> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
>>> 
>>> So which message digest algorithm is the client trying to use?
>>> 
>>> --
>>> Wouter Verhelst
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>> 
>> 
>> 
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170927/8ba60391/attachment-0001.html>

More information about the openssl-users mailing list