07-23-2017 03:13 AM - edited 03-21-2019 10:40 AM
I have an SPA112 running 1.4.1 (002) Oct 26 2015, and I've got a profile gzipped and encrypted using openssl and served via HTTP.
If I encrypt the profile on up-to-date Ubuntu 16.04, OpenSSL 1.0.2g 1 Mar 2016, the ATA can decrypt the file, and the ATA applies the profile.
If I encrypt the profile on up-to-date Debian 9, OpenSSL 1.1.0f 25 May 2017, the ATA is not able to decrypt the file. Debug logs show "Resync failed: corrupt file".
Might this mean that the version of openssl in 1.4.1 is no longer compatible with the versions of openssl available on more recent OSs?
If so, would there be plans for a firmware update to address what I think might be a potential security issue?
07-23-2017 07:28 AM
Can you disclose exact command you are using to encrypt profile file ?
By the way, there's no security issue with OpenSSL 1.0.x related to encryption algorithm used to encrypt profile file as far as I know. So no reason not to use it.
07-23-2017 09:05 AM
Based on your comment, Dan, I did a little research on OpenSSL versions, and default digest changes between 1.0 and 1.1 from MD5 to SHA256. I found out that to encrypt a file using 1.1 that can be decrypted by an SPA112, add -md MD5 to the command line.
So using 1.0, a working command looks like what's suggested in the provisioning manual:
openssl enc -e -aes-256-cbc -k <key> -in <something>.xml.gz -out <something>.xml.gz.enc
But using 1.1, a working command looks like this:
openssl enc -e -aes-256-cbc -md MD5 -k <key> -in <something>.xml.gz -out <something>.xml.gz.enc
Hopefully someone having the same problem in the future will figure it out a little faster than I did if they find this thread. Thanks.
07-23-2017 01:17 PM
It's why I asked exact command line used.
And it's why I'm trying to avoid 'defaults' whenever possible - just because 'defaults' are known to vary.
Glad to hear you solved it.
07-26-2017 01:53 PM
Hello,
I hope you are doing well, my name is Jonathan and I am part of Small business here at Cisco.
I apologize for any inconvenience with the unit. just in case you need further assistance feel free to contact us using the following link so we can help in a faster way next time.
Regards.
https://supportforums.cisco.com/community/4626/small-business-service-and-support-country
07-26-2017 02:33 PM
Did you tried to follow your advice ? Link you promoted declares following:
Start here. You can find many solutions on the Small Business Support Community, which provides a place for you to collaborate with other Cisco customers and partners.
In short you are advising us to continue this thread if necessary ...
Good to know ... ;-)
07-26-2017 03:37 PM
Hi Jonathan, thanks for the reply. The only thing I can think of that Cisco should do wrt this problem is to add something to the provisioning guide to add -md MD5 to the OpenSSL commands. As OSs move to OpenSSL 1.1, it's likely more people will come up against this problem in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide