Re: [CentOS-de] E-Mail made in Germany vs. CentOS 5: tlsv1 alert insufficient security

14 Aug 2013


      Hallo Klaus,
Am 14.08.2013 14:27, schrieb Klaus Tachtler:
...
Ich habe folgendes noch gefunden:
http://comments.gmane.org/gmane.linux.devices.blueonyx.user/13490
Kann es sein, dass die Zertifikate auf dem CentOS5 und CentOS6 Server
unterschiedlich sind?
CentOS 5:
[ts@gimli ~]$ openssl x509 -in /etc/pki/tls/certs/server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 131562 (0x201ea)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Jul  1 11:12:39 2013 GMT
            Not After : Jul  1 11:12:39 2015 GMT
        Subject: CN=mail.pxnet.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/
X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl
[...]
CentOS 6:
[ts@posthamster ~]$ openssl x509 -in /etc/pki/tls/certs/server.crt
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 65595 (0x1003b)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class
3 Root
        Validity
            Not Before: Jul 10 15:36:22 2012 GMT
            Not After : Jul 10 15:36:22 2014 GMT
        Subject: CN=mail.phnxsoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
[...]
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/
[...]
Zumindest die Key-Länge ist also gleich.
Zwei Unterschiede sehe ich:
- "Key Usage" ist beim CentOS-5-Zertifikat als "critical" markiert
  und beinhaltet "Key Agreement", beim CentOS-6-Zertifikat nicht.
- Das CentOS-5-Zertifikat hat einen CRL Distribution Point, das
  CentOS-6-Zertifikat nicht.
Kann es daran liegen?
Grüße,
Tilman
-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [CentOS-de] E-Mail made in Germany vs. CentOS 5: tlsv1 alert insufficient security