Re: What cryptographic algorithm is not supported?

Wed, 08 Nov 2017 05:24:08 -0800 

I notice your cert display did not list a "Key Usage" section.  

X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment

Digital Signature and Data Encipherment are defaults, but
KeY Encipherment does not default and needs to be specified
in Key Usage.

X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Comment:
                OpenSSL Generated Certificate
                82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E

> Sent: Tuesday, November 07, 2017 at 10:40 AM
> From: "Charles Mills" <charl...@mcn.org>
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
>
> That could be another thread "most useless diagnostic ever."
> 
> Right, that is the API call (apparently) that failed, but I don't think one 
> knows that just from the error message. As I said, I got the same error 
> message for presenting a certificate with a SHA-1 digest (I think). 
> Presumably a different CMS API call but the same external message. Different 
> action for the user.
> 
> I display certificates all the time. My script that issues OpenSSL 
> certificates displays them at the end.
> 
> Charles
> 
> 
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Kirk Wolf
> Sent: Tuesday, November 7, 2017 8:07 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
> 
> Its not the worst diagnostic situation that I have seen on z/OS ( that award 
> would go to the C-library OS I/O stuff IMO).
> 
> In this case, the external API that failed is gsk_decode_import_key(), and if 
> you look it up the error that you are getting is documented:
> https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm
> 
> The algorithm codes can be found in /usr/include gskcms.h
> x509_alg_pbeWithSha1And40BitRc2Cbc  = 36,  /* 1.2.840.113549.1.12.1.6   */
> 
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
> 
> PS>  If you want some "fun", take you X.509 cert and load it into a 
> PS> ASN.1
> tool that displays the whole ugly thing
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to