Hi folks, thanks a lot to Michael who helped me identify a problem with my SCEP test setup.
I was experiencing problems with various SCEP clients in my setup. My test environment consists of an OpenCA 0.9.2.1 installation with a distinct SCEP server certificate. I was unable to enroll a new client using the SCEP interface. In the course of testing the various clients I identified several minor problems that prevented successful enrollment and I thought I'd post a summary of my experiences to help others avoid these pitfalls. * Notes on SSCEP (20030417) First of all the sscep client must be compiled against an OpenSSL version other than 0.9.7d, it will not work otherwise. The same holds true for autoSscep. If you are experiencing SIGSEGV with your client even before any data is sent to the server, this is very probably the reason for your problems. More importantly, I observed the following strange behaviour: With my faulty configuration sscep bailed out with the following error after reading the SCEP server reply (pending): ../sscep: PKCS#7 contains 0 bytes of enveloped data ../sscep: verifying signature ../sscep: error verifying signature 25304:error:04077077:rsa routines:RSA_verify:wrong signature length:rsa_sign.c:154: 25304:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:pk7_doit.c:838: The corresponding config file contained: ... # This is one is needed with all operations. CACertFile cacert-1 ... # If your CA/RA uses a different certificates for encyption # and signing, define this EncCertFile /home/martin/stuff/src/sscep/tmp/cacert-0 ... In my case cacert-1 is the CA certificate, cacert-0 is the SCEP server certificate. Strangely enough, this DOES NOT WORK and produces the above error. If I set CACertFile cacert-0 then enrollment works properly for me. Effectively, the CACertFile must point to the SCEP server file to make it work. * Notes on scepclient 0.1 (Java client) The Java client does not recognize chunked encoding properly, making it almost impossible to use it with modern web servers. File src/ch/othello/openscep/internal/ScepHTTPGet.java ScepHTTPGet::getContent() tries to allocate -1 char elements for content[] in this case and dies with an out-of-bounds exception. I did not fix this yet. Hope this helps others to avoid unnecessary debugging. cheers Martin ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
