DDvO
commented
3 years ago Hi Vivek,
sorry that I forgot to your response earlier! Yeah, it looks like there are two issues:
- The signer cert of the client cannot be verified by the server. This may be because the client does not use the right cert or the server does not trust the corresponding root CA cert (vendor trust anchor).
- The server uses CMPv1 at least for the error messages it sends. The cmpossl client only supports CMPv2. Yet let's hope the server will respond with CMPv2 messages when the first issue is solved.
Hope this helps?
Regards, David
bairathivivek
Hi David,
We are sending an ir using cmpossl (CMPv2 client) to CMP server. But getting an error reply from server with following error message:
"Received a request invalid message protection: Request signer certificate failed to chain up to a registered vendor trust anchor: INVALIDCERT"
So, I am guessing the vendor trust CA is not installed on CMP server and hence the error. Is the guess correct?
But in logs the error shown by cmpossl (CMPv2 client) is: 140516300289856:error:390AC0C1:CMP routines:OSSL_CMP_MSG_check_received:unexpected pvno:crypto/cmp/cmp_lib.c:1563:
So, I checked the cmp error reply packet and saw that server is replying with "pvno: cmp1999 (1)".
Does it mean that server doesn't support CMPv2?
Does cmpossl (CMPv2 client) support CMP version 1? If yes, how to enable/use it?
Please let me know your comments.
Eagerly waiting for your reply.
Thanks & Regards, Vivek