Hi Michael, it's no special testing equipment here :-( We will contact cisco because of that.
But to get our program working I made a diff from the cvs version of scep (module openca-0.9) perhaps you can include it. -debug switch working new switch -des modified functions: scep.c: main scep_msg.*: SCEP_MSG_new and SCEP_MSG_encrypt scep.diff: see snipet below Kind regards, Chris -- Christian W. Pohl Michael Bell <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 14.06.2004 15:50 Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: [OpenCA-Devel] openca-scep + Cisco VPN 3000 Christian W Pohl wrote: > I tested openca-scep with the VPN 3000. and it did not work (could not > open pkcs#7). > > After some searching and testing also against a MS-CA I found, that the > concentrator > can not handle des-ede3-cbc enveloped data. > > After changing the encryption to simple des-cbc (and inserting the -debug > switch) it wortked fine (also with cisco pix 501 and some routers) > > Anyone else noticed this? If so: is it possible to insert a option -des > and -3des? (I think I could make it) If you do it then we can include the patch. Usually this patch is not necessary. VPN concentrators and PIXes can both handle 3des but there is a funny detail with Cisco's test equipment. Cisco has a big pool of test equipment worldwide. This equipment has to match the export regulations of the US, so that Cisco has not to take care who uses where the test equipment. If the test equipment only can do DES then it is not restricted for export. Cisco can send this box to every country in the world. If you need 3DES-able test equipment then you must request it explicitly from Cisco or you only get a DES box. I hope this is still principally correct or a Cisco guy can correct me :) Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel ---snip--- Index: openca-0.9/src/scep/src/scep.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/scep/src/scep.c,v retrieving revision 1.29 diff -c -r1.29 scep.c *** openca-0.9/src/scep/src/scep.c 13 Jun 2003 13:40:18 -0000 1.29 --- openca-0.9/src/scep/src/scep.c 17 Jun 2004 14:10:19 -0000 *************** *** 56,61 **** --- 56,62 ---- " -recnonce <arg> new SCEP message Recipient NONCE val (i.e. 04:A4:...).\n", " -sendnonce <arg> new SCEP message Sender NONCE val (i.e. 04:06:FF:...).\n", " -copynonce copy NONCE from input message (generate the reply).\n", + " -des encrypt envelope with normal des (default is 3des).\n", "\nData Content (to be added in the envelope):\n\n", " -reqfile file pkcs#10 request to be included into the PKCSReq.\n", " -reqformat file pkcs#10 request's format.\n", *************** *** 276,281 **** --- 277,285 ---- int copynonce = 1; ASN1_INTEGER *sno = NULL; + /* encryption algorithm */ + EVP_CIPHER cipher = *EVP_des_ede3_cbc(); + /* Private key for the signer */ EVP_PKEY *pkey = NULL; *************** *** 464,471 **** --- 468,479 ---- engine = *(++argv); } #endif + else if (strcmp(*argv,"-des") == 0) + cipher=*EVP_des_cbc(); else if (strcmp(*argv,"-v") == 0) verbose=1; + else if (strcmp(*argv,"-debug") == 0) + debug=1; else if (strcmp(*argv,"-version") == 0) version=1; else if (strcmp(*argv,"-new") == 0) *************** *** 828,834 **** } newMsg = SCEP_MSG_new( type, signcert, pkey, reccert, msg, ! req, issuedcert, NULL, ias, crl, cacert ); if( newMsg == NULL ) { BIO_printf( bio_err, "%s:%d Error creating message!\n", --- 836,842 ---- } newMsg = SCEP_MSG_new( type, signcert, pkey, reccert, msg, ! req, issuedcert, NULL, ias, crl, cacert, cipher ); if( newMsg == NULL ) { BIO_printf( bio_err, "%s:%d Error creating message!\n", Index: openca-0.9/src/scep/src/scep_msg.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/scep/src/scep_msg.c,v retrieving revision 1.26 diff -c -r1.26 scep_msg.c *** openca-0.9/src/scep/src/scep_msg.c 2 Jul 2003 22:51:45 -0000 1.26 --- openca-0.9/src/scep/src/scep_msg.c 17 Jun 2004 14:10:19 -0000 *************** *** 45,51 **** SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey, X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req, X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info, ! PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert ) { SCEP_MSG *msg = NULL; PKCS7_SIGNER_INFO *si = NULL; --- 45,52 ---- SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey, X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req, X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info, ! PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert, ! EVP_CIPHER cipher ) { SCEP_MSG *msg = NULL; PKCS7_SIGNER_INFO *si = NULL; *************** *** 208,214 **** if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__); /* Encrypt the message data */ ! if( !SCEP_MSG_encrypt( msg, recip_cert )) goto err; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } --- 209,215 ---- if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__); /* Encrypt the message data */ ! if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } *************** *** 340,346 **** } } ! int SCEP_MSG_encrypt( SCEP_MSG *msg, X509 *recip_cert ) { BIO *inbio = NULL; int ret = 0; --- 341,347 ---- } } ! int SCEP_MSG_encrypt( SCEP_MSG *msg, X509 *recip_cert, EVP_CIPHER cipher ) { BIO *inbio = NULL; int ret = 0; *************** *** 415,421 **** /* Encrypt Data */ msg->env_data.p7env = PKCS7_encrypt( msg->env_data.recip_info.sk_recip_certs, ! inbio, EVP_des_ede3_cbc(), PKCS7_BINARY ); ERR_clear_error(); --- 416,422 ---- /* Encrypt Data */ msg->env_data.p7env = PKCS7_encrypt( msg->env_data.recip_info.sk_recip_certs, ! inbio, &cipher, PKCS7_BINARY ); ERR_clear_error(); Index: openca-0.9/src/scep/src/scep_msg.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/scep/src/scep_msg.h,v retrieving revision 1.13 diff -c -r1.13 scep_msg.h *** openca-0.9/src/scep/src/scep_msg.h 5 May 2003 10:40:47 -0000 1.13 --- openca-0.9/src/scep/src/scep_msg.h 17 Jun 2004 14:10:19 -0000 *************** *** 11,22 **** SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey, X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req, X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info, PKCS7_ISSUER_AND_SERIAL *p7_ias, ! X509_CRL *crl, X509 *cacert); int SCEP_MSG_free( SCEP_MSG *msg ); /* Encrypt/Decrypt data within a SCEP_MSG if any */ ! int SCEP_MSG_encrypt( SCEP_MSG *msg, X509 *recip_cert ); unsigned char *SCEP_MSG_decrypt( SCEP_MSG *msg, EVP_PKEY *pkey, X509 *cert, long *len ); --- 11,22 ---- SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey, X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req, X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info, PKCS7_ISSUER_AND_SERIAL *p7_ias, ! X509_CRL *crl, X509 *cacert, EVP_CIPHER cipher); int SCEP_MSG_free( SCEP_MSG *msg ); /* Encrypt/Decrypt data within a SCEP_MSG if any */ ! int SCEP_MSG_encrypt( SCEP_MSG *msg, X509 *recip_cert, EVP_CIPHER cipher ); unsigned char *SCEP_MSG_decrypt( SCEP_MSG *msg, EVP_PKEY *pkey, X509 *cert, long *len ); ---snap---
smime.p7s
Description: S/MIME Cryptographic Signature
