Christian W Pohl wrote:
I tested openca-scep with the VPN 3000. and it did not work (could not open pkcs#7).
After some searching and testing also against a MS-CA I found, that the concentrator can not handle des-ede3-cbc enveloped data.
After changing the encryption to simple des-cbc (and inserting the -debug switch) it wortked fine (also with cisco pix 501 and some routers)
Anyone else noticed this? If so: is it possible to insert a option -des and -3des? (I think I could make it)
If you do it then we can include the patch. Usually this patch is not necessary. VPN concentrators and PIXes can both handle 3des but there is a funny detail with Cisco's test equipment.
Cisco has a big pool of test equipment worldwide. This equipment has to match the export regulations of the US, so that Cisco has not to take care who uses where the test equipment. If the test equipment only can do DES then it is not restricted for export. Cisco can send this box to every country in the world. If you need 3DES-able test equipment then you must request it explicitly from Cisco or you only get a DES box.
I hope this is still principally correct or a Cisco guy can correct me :)
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
