Re: Hardware client certificates moving to Centos 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 09/26/2017 11:26 AM, Stuart Marsden wrote:
Hi

I have Centos/Apache servers for securely provisioning IP phones using hardware client certificates embedded in the phones.

for this test I have allowed all protocols and ciphers

on Centos 6 this works fine, the rpms are:

openssl098e-0.9.8e-20.el6.centos.1.x86_64
openssl-1.0.1e-57.el6.x86_64
openssl-devel-1.0.1e-57.el6.x86_64

on centos 7 the rpms are:

openssl098e-0.9.8e-29.el7.centos.3.x86_64
openssl-1.0.2k-8.el7.x86_64
openssl-libs-1.0.2k-8.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-devel-1.0.2k-8.el7.x86_64

on Centos 7 the logging with "Loglevel debug"  in the apache config file is a lot less than Centos 6


The SSL fails to establish with the error below:


ssl_engine_kernel.c(1890): [client XX.XX.31.200:47576] AH02043: SSL virtual host for servername xxxxxxxx found

ssl_engine_kernel.c(1360): [client XX.XX.31.200:47576] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: emailAddress=support@xxxxxxxxxxx,CN=Yealink Equipment Issuing CA,OU=yealink.com,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / issuer: emailAddress=support@xxxxxxxxxxx,CN=Yealink Equipment Issuing CA,OU=yealink.com,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / serial: E17F3D266C47321E / notbefore: Nov  7 12:45:52 2013 GMT / notafter: Nov  7 12:45:52 2033 GMT]

Please provide a complete dump of the hardware certificate. There may be a subjectAltName with fields that require an hex dump. I want to see if these are IEEE 802.1AR certificates...

If they are, they are suppose to be used to provision an owner (lDevID) certificate. But they should be usable; they may be ECDSA certs.

You can see some examples on how to create (and display) ECDSA 802.1AR certs in:

https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/



ssl_engine_kernel.c(1360): [client xx.xx.31.200:47576] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: emailAddress=support@xxxxxxxxxxx,CN=001565c8be6f,OU=Yealink Equipment,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / issuer: emailAddress=support@xxxxxxxxxxx,CN=Yealink Equipment Issuing CA,OU=yealink.com,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / serial: 303031353635633862653666 / notbefore: Mar  1 00:00:00 2014 GMT / notafter: Feb 24 00:00:00 2034 GMT]

[ssl:info] [pid 1611] [client xx.xx.31.200:47576] AH02276: Certificate Verification: Error (7): certificate signature failure [subject: emailAddress=support@xxxxxxxxxxx,CN=001565c8be6f,OU=Yealink Equipment,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / issuer: emailAddress=support@xxxxxxxxxxx,CN=Yealink Equipment Issuing CA,OU=yealink.com,O=Yealink Network Technology Co.\\,Ltd.,L=Xiamen,ST=Fujian,C=CN / serial: 303031353635633862653666 / notbefore: Mar  1 00:00:00 2014 GMT / notafter: Feb 24 00:00:00 2034 GMT]

[ssl:info] [pid 1611] [client xx.xx.31.200:47576] AH02008: SSL library error 1 in handshake (server xxx.xxx.xxx.xxx:443)
[ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
[ssl:info] [pid 1611] SSL Library Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
[ssl:info] [pid 1611] [client xx.xx.31.200:47576] AH01998: Connection closed to child 3 with abortive shutdown


It fails across several phone vendors.

Any suggestions greatly received, thanks in advance

Stuart



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux