[openssl-users] Hardware client certificates moving to Centos 7
Robert Moskowitz
rgm at htt-consult.com
Wed Sep 27 12:27:47 UTC 2017
On 09/27/2017 08:07 AM, Stuart Marsden wrote:
> Hi
>
> I think I know what you are going to say - MD5?
Lots of problems with that cert. If you have some connection with the
vendor, have them read IEEE 802.1AR-2009 standard for Device Identity
credentials. You will be supporting this phone different from those
that follow the standard.
>
> I ran openssl s_server -verify , then ran the x509 command as you
> suggested using the captured client certificate
>
> This phone model has only just gone into production, and I am using a
> "preview version" of the hardware
>
> Is there a way a can install a version of openssl on a dedicated
> standalone Centos 7 server which will support these phones?
I run Centos7 on arm platforms There are lots of ways to run dedicated
C7 servers. Talk about this on the Centos-user or Centos-arm list.
>
> That would be preferable to me than having to leave Centos 6 servers
> just for this
A lot of years until EOL for Centos6. They just did it for C5...
>
> Thanks everyone for your help sofar
>
> Stuart
>
>
> openssl x509 -noout -text -in yealink.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 30:30:31:35:36:35:63:38:62:65:36:66
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network
> Technology Co.,Ltd., OU=yealink.com <http://yealink.com>, CN=Yealink
> Equipment Issuing CA/emailAddress=support at yealink.com
> <mailto:CA/emailAddress=support at yealink.com>
> Validity
> Not Before: Mar 1 00:00:00 2014 GMT
> Not After : Feb 24 00:00:00 2034 GMT
> Subject: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network
> Technology Co.,Ltd., OU=Yealink Equipment,
> CN=001565c8be6f/emailAddress=support at yealink.com
> <mailto:CN=001565c8be6f/emailAddress=support at yealink.com>
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:e9:22:52:1a:47:bf:06:4d:2e:86:4f:61:5e:f8:
> 70:47:7f:c7:7d:4d:1e:b7:9f:0d:38:d2:79:8e:e9:
> 47:88:f3:f1:dd:75:d0:b3:d7:72:da:aa:e8:72:12:
> 7e:67:5c:c1:63:f3:6e:54:48:f7:46:a8:1c:fe:6a:
> 96:13:87:31:68:bb:89:98:b5:45:8d:c2:ef:24:a0:
> 47:7c:bf:20:d6:88:6b:95:4b:3a:f4:90:ec:a1:b2:
> 8a:4e:f9:2a:01:02:ba:f9:7f:52:b7:5f:71:18:d4:
> 40:74:56:75:94:e1:2e:ed:87:69:5a:33:ca:51:45:
> 06:ce:5e:5d:f1:ff:c1:5f:2f
> Exponent: 65537 (0x10001)
> Signature Algorithm: md5WithRSAEncryption
> 74:a9:f7:02:52:51:86:c9:09:15:c9:2e:32:1b:29:81:b6:d0:
> a9:7a:88:61:5a:fe:22:3e:6d:68:e3:71:64:e2:12:1f:5a:0e:
> 35:54:19:b8:4a:e5:a1:70:27:0f:3b:99:ae:db:d1:bc:77:39:
> 22:0a:4d:71:a9:08:ca:c4:e0:28:a6:a0:e4:bc:9d:56:c1:ad:
> 49:4b:5c:70:b2:a7:e8:64:ef:fa:fa:c0:1c:89:92:63:c5:67:
> 55:ab:d9:65:57:4b:a8:6e:59:a6:d3:4b:ff:9b:27:8b:0e:ea:
> ac:71:de:6c:5d:97:c7:78:17:40:4b:03:79:81:1b:02:31:6c:
> fa:01:4a:c2:e2:c2:d6:14:4c:ff:9a:1c:41:ed:14:c2:eb:b4:
> f5:1b:db:06:d7:1f:e3:bc:69:d0:f7:d6:8e:13:db:7b:f1:15:
> 5c:11:b9:18:56:6b:d3:0f:96:20:99:a3:19:01:83:9a:f2:65:
> 4d:7d:6b:41:92:d2:d1:4d:40:74:b7:8b:a8:54:ba:bf:b0:04:
> 0e:a0:45:5b:62:c1:0e:7b:48:7d:c8:96:62:99:50:e7:44:b1:
> 8a:01:e0:ec:b7:42:6c:3d:52:16:70:3b:0f:e6:e3:31:8b:31:
> ee:62:fd:fd:3c:94:90:04:05:99:7b:b2:c0:41:8f:92:05:db:
> 46:a6:2d:ed:ba:e5:70:61:45:52:a4:f0:97:54:cf:75:9d:8b:
> f9:89:f2:01:0e:7f:f7:b6:1f:1c:03:56:a6:cc:d0:00:99:b9:
> f1:e3:6b:18:d5:69:46:38:a3:23:ba:f3:76:08:ff:02:bc:15:
> df:91:67:6e:94:62:35:34:a2:fa:d3:33:01:da:00:b6:07:4c:
> 89:7e:f3:98:dc:81:e5:0f:4a:19:ea:fe:91:02:3a:9d:22:25:
> a9:38:f8:2f:91:ca:09:e1:6c:12:b2:68:a6:a2:af:8b:41:f7:
> 61:e5:40:2f:98:60:18:10:90:af:55:50:8a:31:2d:17:82:d2:
> 13:cf:27:5b:fa:c8:ee:74:e1:98:00:26:56:24:68:38:b4:e3:
> 21:ee:3c:8b:16:32:72:93:fc:3b:0f:13:9a:b1:97:e8:6e:ca:
> 33:00:ee:7b:30:7c:e2:e7:14:99:a0:5f:f1:f9:95:1f:fc:5c:
> 17:79:33:2a:f1:fd:89:6e:50:d8:d7:8d:05:95:3f:11:72:c7:
> 69:e8:0f:4c:82:7b:9d:26:86:04:60:b2:3b:24:76:4a:34:c6:
> 87:ef:e6:e7:8b:53:98:de:f4:cc:d8:39:b2:2d:ea:09:a4:80:
> f3:c2:d7:bd:6f:7b:7d:4c:35:b2:23:ca:56:fc:5b:6d:08:05:
> 6b:11:bd:c6:4b:92:4f:46
>
>
>> On 27 Sep 2017, at 01:04, Kyle Hamilton <aerowolf at gmail.com
>> <mailto:aerowolf at gmail.com>> wrote:
>>
>> openssl x509 -noout -text -in clientcertificate.pem
>>
>> You may need to extract the client certificate from wireshark, but you
>> could also get it from openssl s_server.
>>
>> Specifically, that error message is suggesting that there's a message
>> digest encoded into the certificate which is unknown to the trust
>> path.
>>
>> Chances are, it's probably MD5. MD5 was broken a long time ago, and
>> is no longer trustworthy. (SHA1 is also a possibility, but it was
>> made unacceptable a lot more recently.)
>>
>> -Kyle H
>>
>>
>> On Tue, Sep 26, 2017 at 8:56 AM, Stuart Marsden <stuart at myphones.com
>> <mailto:stuart at myphones.com>> wrote:
>>> Sorry how can I tell ?
>>>
>>> I can run a wireshark if necessary
>>>
>>> thanks
>>>
>>>
>>>> On 26 Sep 2017, at 16:36, Wouter Verhelst
>>>> <wouter.verhelst at fedict.be <mailto:wouter.verhelst at fedict.be>> wrote:
>>>>
>>>> On 26-09-17 17:26, Stuart Marsden wrote:
>>>>> [ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1
>>>>> encoding routines:ASN1_item_verify:unknown message digest algorithm
>>>>
>>>> So which message digest algorithm is the client trying to use?
>>>>
>>>> --
>>>> Wouter Verhelst
>>>> --
>>>> openssl-users mailing list
>>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>>>
>>>
>>>
>>> --
>>> openssl-users mailing list
>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170927/26535fd1/attachment-0001.html>
More information about the openssl-users
mailing list