Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3756
Views
5
Helpful
6
Replies

"Resync failed: corrupt file" on resync of profile encrypted using Debian 9 OpenSSL

Peter Christensen
Level 1
Level 1

‎07-23-2017 03:13 AM - edited ‎03-21-2019 10:40 AM

I have an SPA112 running 1.4.1 (002) Oct 26 2015, and I've got a profile gzipped and encrypted using openssl and served via HTTP.

If I encrypt the profile on up-to-date Ubuntu 16.04, OpenSSL 1.0.2g 1 Mar 2016, the ATA can decrypt the file, and the ATA applies the profile.

If I encrypt the profile on up-to-date Debian 9, OpenSSL 1.1.0f 25 May 2017, the ATA is not able to decrypt the file. Debug logs show "Resync failed: corrupt file".

Might this mean that the version of openssl in 1.4.1 is no longer compatible with the versions of openssl available on more recent OSs?

If so, would there be plans for a firmware update to address what I think might be a potential security issue?

0 Helpful
6 Replies 6

Dan Lukes
VIP Alumni
VIP Alumni

‎07-23-2017 07:28 AM

Can you disclose exact command you are using to encrypt profile file ?

By the way, there's no security issue with OpenSSL 1.0.x related to encryption algorithm used to encrypt profile file as far as I know. So no reason not to use it.

Peter Christensen
Level 1
Level 1
In response to Dan Lukes

‎07-23-2017 09:05 AM

Based on your comment, Dan, I did a little research on OpenSSL versions, and default digest changes between 1.0 and 1.1 from MD5 to SHA256. I found out that to encrypt a file using 1.1 that can be decrypted by an SPA112, add -md MD5 to the command line.

So using 1.0, a working command looks like what's suggested in the provisioning manual:

openssl enc -e -aes-256-cbc -k <key> -in <something>.xml.gz -out <something>.xml.gz.enc

But using 1.1, a working command looks like this:

openssl enc -e -aes-256-cbc -md MD5 -k <key> -in <something>.xml.gz -out <something>.xml.gz.enc

Hopefully someone having the same problem in the future will figure it out a little faster than I did if they find this thread. Thanks.

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to Peter Christensen

‎07-23-2017 01:17 PM

It's why I asked exact command line used.

And it's why I'm trying to avoid 'defaults' whenever possible - just because 'defaults' are known to vary.

Glad to hear you solved it.

0 Helpful

jonrodr2
Level 1
Level 1
In response to Peter Christensen

‎07-26-2017 01:53 PM

Hello,

I hope you are doing well, my name is Jonathan and I am part of Small business here at Cisco.

I apologize for any inconvenience with the unit. just in case you need further assistance feel free to contact us using the following link so we can help in a faster way next time. 

Regards.

https://supportforums.cisco.com/community/4626/small-business-service-and-support-country

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to jonrodr2

‎07-26-2017 02:33 PM

Did you tried to follow your advice ? Link you promoted declares following:

Start here. You can find many solutions on the Small Business Support Community, which provides a place for you to collaborate with other Cisco customers and partners.

In short you are advising us to continue this thread if necessary ...

Good to know ... ;-)

0 Helpful

Peter Christensen
Level 1
Level 1
In response to jonrodr2

‎07-26-2017 03:37 PM

Hi Jonathan, thanks for the reply. The only thing I can think of that Cisco should do wrt this problem is to add something to the provisioning guide to add -md MD5 to the OpenSSL commands. As OSs move to OpenSSL 1.1, it's likely more people will come up against this problem in the future.

0 Helpful
Customers Also Viewed These Support Documents