[CentOS-de] E-Mail made in Germany vs. CentOS 5: tlsv1 alert insufficient security

Tilman Schmidt t.schmidt at phoenixsoftware.de
Mi Aug 14 15:18:35 UTC 2013 

Hallo Klaus,

Am 14.08.2013 14:27, schrieb Klaus Tachtler:
> Ich habe folgendes noch gefunden:
> http://comments.gmane.org/gmane.linux.devices.blueonyx.user/13490
> 
> Kann es sein, dass die Zertifikate auf dem CentOS5 und CentOS6 Server
> unterschiedlich sind?

CentOS 5:

[ts at gimli ~]$ openssl x509 -in /etc/pki/tls/certs/server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 131562 (0x201ea)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Jul  1 11:12:39 2013 GMT
            Not After : Jul  1 11:12:39 2015 GMT
        Subject: CN=mail.pxnet.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl
[...]

CentOS 6:

[ts at posthamster ~]$ openssl x509 -in /etc/pki/tls/certs/server.crt
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 65595 (0x1003b)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Jul 10 15:36:22 2012 GMT
            Not After : Jul 10 15:36:22 2014 GMT
        Subject: CN=mail.phnxsoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/
[...]

Zumindest die Key-Länge ist also gleich.
Zwei Unterschiede sehe ich:

- "Key Usage" ist beim CentOS-5-Zertifikat als "critical" markiert
  und beinhaltet "Key Agreement", beim CentOS-6-Zertifikat nicht.

- Das CentOS-5-Zertifikat hat einen CRL Distribution Point, das
  CentOS-6-Zertifikat nicht.

Kann es daran liegen?

Grüße,
Tilman

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany