Re: Hardware client certificates moving to Centos 7

[Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>]

On 09/27/2017 08:07 AM, Stuart Marsden wrote:

Hi

I think I know what you are going to say - MD5?

Lots of problems with that cert.  If you have some connection with the vendor, have them read IEEE 802.1AR-2009 standard for Device Identity credentials.  You will be supporting this phone different from those that follow the standard.

I ran openssl s_server -verify , then ran the x509 command as you suggested using the captured client certificate

This phone model has only just gone into production,  and I am using a "preview version" of the hardware

Is there a way a can install  a version of openssl on a dedicated standalone Centos 7 server which will support these phones?

I run Centos7 on arm platforms  There are lots of ways to run dedicated C7 servers.  Talk about this on the Centos-user or Centos-arm list.

That would be preferable to me than having to leave Centos 6 servers just for this

A lot of years until EOL for Centos6.  They just did it for C5...

Thanks everyone for your help sofar 

Stuart

openssl x509 -noout -text -in yealink.pem 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            30:30:31:35:36:35:63:38:62:65:36:66

    Signature Algorithm: md5WithRSAEncryption

        Issuer: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network Technology Co.,Ltd., OU=yealink.com, CN=Yealink Equipment Issuing CA/emailAddress=support@xxxxxxxxxxx

        Validity

            Not Before: Mar  1 00:00:00 2014 GMT

            Not After : Feb 24 00:00:00 2034 GMT

        Subject: C=CN, ST=Fujian, L=Xiamen, O=Yealink Network Technology Co.,Ltd., OU=Yealink Equipment, CN=001565c8be6f/emailAddress=support@xxxxxxxxxxx

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:e9:22:52:1a:47:bf:06:4d:2e:86:4f:61:5e:f8:

                    70:47:7f:c7:7d:4d:1e:b7:9f:0d:38:d2:79:8e:e9:

                    47:88:f3:f1:dd:75:d0:b3:d7:72:da:aa:e8:72:12:

                    7e:67:5c:c1:63:f3:6e:54:48:f7:46:a8:1c:fe:6a:

                    96:13:87:31:68:bb:89:98:b5:45:8d:c2:ef:24:a0:

                    47:7c:bf:20:d6:88:6b:95:4b:3a:f4:90:ec:a1:b2:

                    8a:4e:f9:2a:01:02:ba:f9:7f:52:b7:5f:71:18:d4:

                    40:74:56:75:94:e1:2e:ed:87:69:5a:33:ca:51:45:

                    06:ce:5e:5d:f1:ff:c1:5f:2f

                Exponent: 65537 (0x10001)

    Signature Algorithm: md5WithRSAEncryption

         74:a9:f7:02:52:51:86:c9:09:15:c9:2e:32:1b:29:81:b6:d0:

         a9:7a:88:61:5a:fe:22:3e:6d:68:e3:71:64:e2:12:1f:5a:0e:

         35:54:19:b8:4a:e5:a1:70:27:0f:3b:99:ae:db:d1:bc:77:39:

         22:0a:4d:71:a9:08:ca:c4:e0:28:a6:a0:e4:bc:9d:56:c1:ad:

         49:4b:5c:70:b2:a7:e8:64:ef:fa:fa:c0:1c:89:92:63:c5:67:

         55:ab:d9:65:57:4b:a8:6e:59:a6:d3:4b:ff:9b:27:8b:0e:ea:

         ac:71:de:6c:5d:97:c7:78:17:40:4b:03:79:81:1b:02:31:6c:

         fa:01:4a:c2:e2:c2:d6:14:4c:ff:9a:1c:41:ed:14:c2:eb:b4:

         f5:1b:db:06:d7:1f:e3:bc:69:d0:f7:d6:8e:13:db:7b:f1:15:

         5c:11:b9:18:56:6b:d3:0f:96:20:99:a3:19:01:83:9a:f2:65:

         4d:7d:6b:41:92:d2:d1:4d:40:74:b7:8b:a8:54:ba:bf:b0:04:

         0e:a0:45:5b:62:c1:0e:7b:48:7d:c8:96:62:99:50:e7:44:b1:

         8a:01:e0:ec:b7:42:6c:3d:52:16:70:3b:0f:e6:e3:31:8b:31:

         ee:62:fd:fd:3c:94:90:04:05:99:7b:b2:c0:41:8f:92:05:db:

         46:a6:2d:ed:ba:e5:70:61:45:52:a4:f0:97:54:cf:75:9d:8b:

         f9:89:f2:01:0e:7f:f7:b6:1f:1c:03:56:a6:cc:d0:00:99:b9:

         f1:e3:6b:18:d5:69:46:38:a3:23:ba:f3:76:08:ff:02:bc:15:

         df:91:67:6e:94:62:35:34:a2:fa:d3:33:01:da:00:b6:07:4c:

         89:7e:f3:98:dc:81:e5:0f:4a:19:ea:fe:91:02:3a:9d:22:25:

         a9:38:f8:2f:91:ca:09:e1:6c:12:b2:68:a6:a2:af:8b:41:f7:

         61:e5:40:2f:98:60:18:10:90:af:55:50:8a:31:2d:17:82:d2:

         13:cf:27:5b:fa:c8:ee:74:e1:98:00:26:56:24:68:38:b4:e3:

         21:ee:3c:8b:16:32:72:93:fc:3b:0f:13:9a:b1:97:e8:6e:ca:

         33:00:ee:7b:30:7c:e2:e7:14:99:a0:5f:f1:f9:95:1f:fc:5c:

         17:79:33:2a:f1:fd:89:6e:50:d8:d7:8d:05:95:3f:11:72:c7:

         69:e8:0f:4c:82:7b:9d:26:86:04:60:b2:3b:24:76:4a:34:c6:

         87:ef:e6:e7:8b:53:98:de:f4:cc:d8:39:b2:2d:ea:09:a4:80:

         f3:c2:d7:bd:6f:7b:7d:4c:35:b2:23:ca:56:fc:5b:6d:08:05:

         6b:11:bd:c6:4b:92:4f:46

On 27 Sep 2017, at 01:04, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote:

openssl x509 -noout -text -in clientcertificate.pem

You may need to extract the client certificate from wireshark, but you
could also get it from openssl s_server.

Specifically, that error message is suggesting that there's a message
digest encoded into the certificate which is unknown to the trust
path.

Chances are, it's probably MD5.  MD5 was broken a long time ago, and
is no longer trustworthy.  (SHA1 is also a possibility, but it was
made unacceptable a lot more recently.)

-Kyle H


On Tue, Sep 26, 2017 at 8:56 AM, Stuart Marsden <stuart@xxxxxxxxxxxx> wrote:

Sorry how can I tell ?

I can run a wireshark if necessary

thanks

On 26 Sep 2017, at 16:36, Wouter Verhelst <wouter.verhelst@xxxxxxxxx> wrote:

On 26-09-17 17:26, Stuart Marsden wrote:

[ssl:info] [pid 1611] SSL Library Error: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

So which message digest algorithm is the client trying to use?

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users