|
« Return to Thread: CMP and SCEP problem
Re: CMP and SCEP problem
by Juraj Michalak
::
Rate this Message:
Peter Gutmann wrote:
>> error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -15 (what is CRYPT_ERROR_FAILED)
>>
>> session/scep_cli.c:168 "Couldn't create SCEP request signing attributes"
>>
>
> Hmm, it looks like you used SHA-256 here as well, SCEP had an even worse
> problem in that it hardcoded MD5 as the only allowed algorithm. There is a
> way to kludge in other algorithms (by sending an HTTP request containing an
> argument other than a standard SCEP request, which is supposed to return a
> text page containing information about what new algorithms are supported) but
> the last time I tried it it wasn't supported very well (there are lots of old,
> mininal SCEP implementations built into routers and the like) and lead to
> strange failures if you use it. In general it seems safe to assume SHA-1
> (which is what cryptlib does), but trying to push it beyond that is kind of
> risky.
>
> Peter.
>
>After the knowledge that CMP has problem with SHA256 I have tried to use
SHA-1 also with scep but there is no difference. It's still the -15
error with "Couldn't create SCEP request signing attributes". My scep CA
certificate and scep source code is available here:
http://student.fiit.stuba.sk/~michalak04/zdielane/scepca.der
http://student.fiit.stuba.sk/~michalak04/zdielane/generate_scep.c
It is not possible to try MD5 because EJBCA doesn't allow it.
CMP
===
Is the DER encoded object from EJBCA log or what Tomas provided enough
for you?:
MIH8MIHBAgECpCQwIjELMAkGA1UEBhMCU0sxEzARBgNVBAMUCmxhbGFAdGlua3mk
OzA5MRMwEQYDVQQDDAptdWxob2xsYW5kMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUx
CzAJBgNVBAYTAlNLoQ8wDQYJKoZIhvZ9B0INBQCiDAQKbGFsYUB0aW5reaQSBBCc
3xJ8jgerIBweDQdHl/UkpRIEELr9RaGdtggdMcq3mt4z4QCmEgQQOkmvuW/uI1mw
AI92BLRo2bgdMBswGQQUrlaasgqkT51Gg8Oj4PYdf14KmWQCAQCgFwMVAGy5nP+4
rPtLB+tiNndmywHlsXrd
Juraj.
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
>> error: crytSetAttribute(CRYPT_SESSINFO_ACTIVE) = -15 (what is CRYPT_ERROR_FAILED)
>>
>> session/scep_cli.c:168 "Couldn't create SCEP request signing attributes"
>>
>
> Hmm, it looks like you used SHA-256 here as well, SCEP had an even worse
> problem in that it hardcoded MD5 as the only allowed algorithm. There is a
> way to kludge in other algorithms (by sending an HTTP request containing an
> argument other than a standard SCEP request, which is supposed to return a
> text page containing information about what new algorithms are supported) but
> the last time I tried it it wasn't supported very well (there are lots of old,
> mininal SCEP implementations built into routers and the like) and lead to
> strange failures if you use it. In general it seems safe to assume SHA-1
> (which is what cryptlib does), but trying to push it beyond that is kind of
> risky.
>
> Peter.
>
>
SHA-1 also with scep but there is no difference. It's still the -15
error with "Couldn't create SCEP request signing attributes". My scep CA
certificate and scep source code is available here:
http://student.fiit.stuba.sk/~michalak04/zdielane/scepca.der
http://student.fiit.stuba.sk/~michalak04/zdielane/generate_scep.c
It is not possible to try MD5 because EJBCA doesn't allow it.
CMP
===
Is the DER encoded object from EJBCA log or what Tomas provided enough
for you?:
MIH8MIHBAgECpCQwIjELMAkGA1UEBhMCU0sxEzARBgNVBAMUCmxhbGFAdGlua3mk
OzA5MRMwEQYDVQQDDAptdWxob2xsYW5kMRUwEwYDVQQKDAxFSkJDQSBTYW1wbGUx
CzAJBgNVBAYTAlNLoQ8wDQYJKoZIhvZ9B0INBQCiDAQKbGFsYUB0aW5reaQSBBCc
3xJ8jgerIBweDQdHl/UkpRIEELr9RaGdtggdMcq3mt4z4QCmEgQQOkmvuW/uI1mw
AI92BLRo2bgdMBswGQQUrlaasgqkT51Gg8Oj4PYdf14KmWQCAQCgFwMVAGy5nP+4
rPtLB+tiNndmywHlsXrd
Juraj.
_______________________________________________
Cryptlib mailing list
Cryptlib@... via Mail: cryptlib-request@...
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.
« Return to Thread: CMP and SCEP problem
| Free embeddable forum powered by Nabble | Forum Help |
