sscep: error verifying signature with Red Hat 9 #157
Comments
|
This works with the following parameters for the openssl: openssl.cnf = openssl_conf = default_modules [ default_modules ] [ evp_settings ] |
|
Same problem on Centos9 Stream. Do you plan any sscep upgrades to work properly with openssl higher versions > 3.0.0? |
This isn't actually a SSCEP bug. The issue is:
I appreciate this bug report existing to help guide users out of the rather confusing issue, but unless SSCEP is requesting the signature to be SHA1, there is nothing to fix in SSCEP. The bug should be reported to Microsoft. |
I am trying to get a signed certificate, but sscep doesn't work in Red Hat 9 (x86_64). The same version (0.10.0) works in Red Hat 8.
FIPS is disabled.
sscep enroll -v -c /tmp/sert-0 -e /tmp/sert-1 -E 3des -k /tmp/testserver.test.fi.rsa -r /tmp/testserver.test.fi.req -S sha256 -l /tmp/testserver.test.fi.pem -u http://ndestestserver/certsrv/mscep/mscep.dll/pkiclient.exe -v
sscep: starting sscep, version 0.10.0
sscep: new transaction
sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
sscep: hostname: ndestestserver
sscep: directory: certsrv/mscep/mscep.dll/pkiclient.exe
sscep: port: 80
sscep: SCEP_OPERATION_GETCAPS
sscep: connecting to ndestestserver:80
sscep: server response status code: 200, MIME header: text/plain
POSTPKIOperation
Renewal
SHA-512
SHA-256
SHA-1
DES3
sscep: Read request with transaction id: 98B947A37B2E8E0A36729979986C1F72
sscep: generating selfsigned certificate
sscep: SCEP_OPERATION_ENROLL
sscep: sending certificate request
sscep: request data dump
-----BEGIN CERTIFICATE REQUEST-----
MIIDHjCCAgYCAQAwcDELMAkGA1UEBhMCRkkxEDAOBgNVBAgTB0ZpbmxhbmQxETAP
BgNVBAcTCEhlbHNpbmtpMQ0wCwYDVQQKEwRUZXN0MRAwDgYDVQQLEwdUZXN0aW5n
MRswGQYDVQQDExJ0ZXN0c2VydmVyLnRlc3QuZmkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDBOXPSWnEr1aQAT7dvxXpL77raTJvPl9NyfZwMuYWegUDq
zeU6Jhn1hu7tp6m82ZqZfFPfqtf9pQTXYw+FfK2SqIvvVDB/jPRmhPHR2IVi6SEW
ttRcPkTI3rCVsZuK1A/Yf8lkOBje0SlTsx97dGiGYyzljHqY3zRX2cQVJQA3Nlzb
f1O2OJO81rcl+3ov8WKvyQYe9J+PZU9FlNJR0x1bA/me8RBUhenPc51JPONTkrjY
TR03tj4czDdi5shQrAzGHQbeGBBUpyGZ6h0G2liDN7klyxVL5QMxOEgqvuUBrp0C
P5vJTLPNGnMHnhG5moYLV7l3FUoBK8yrfUGQPe3fAgMBAAGgaTAfBgkqhkiG9w0B
CQcxEhMQRTA3MjJEQUEwQkU0Rjg1NTBGBgkqhkiG9w0BCQ4xOTA3MAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMB0GA1UdEQQWMBSCEnRlc3RzZXJ2ZXIudGVzdC5maTAN
BgkqhkiG9w0BAQsFAAOCAQEAebtEZqQ6IpX8xlfuaaWzp0tvUvRvnRkpW6ZDyHbK
FdJMDya3eOO0zDH/QdibwjPLYHpVIG0iAMzRCjqrVgkgzx7ko00T/Jh+xb5G5G/b
xFmc1jed4b3UKxq5+kqRW7qUWQ3/z6FmuKSYvR/QY0jvN/EUVjz6S4a7QsAN6SrT
mXtGzjY+bXOA6C8hyPXJdSddLhG/i3diqWEHXM8WTjvp6RQhK7FqzMDM/rZqQHiv
hv0vuHd8IDwyHNZ8AC3nywTdCVEWowPabMZkG60EKypsVmX3yBNU1Bb5y+YkeVoe
8eHLRhl187msSTEspRDUdUMikdQPo7nf5rmHptSWiZb0gQ==
-----END CERTIFICATE REQUEST-----
sscep: data payload size: 802 bytes
sscep: successfully encrypted payload
sscep: envelope size: 1137 bytes
sscep: creating outer PKCS#7
sscep: PKCS#7 data written successfully
sscep: payload size: 2763 bytes
sscep: connecting to ndestestserver:80
sscep: server response status code: 200, MIME header: application/x-pki-message
sscep: valid response from server
sscep: verifying signature
sscep: error verifying signature
40D75FA2B97F0000:error:03000098:digital envelope routines:evp_pkey_ctx_set_md:invalid digest:crypto/evp/pmeth_lib.c:961:
40D75FA2B97F0000:error:10800069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1122:
The text was updated successfully, but these errors were encountered: