Comments (2)
groob
commented on August 11, 2024
Thanks for documenting this issue.
When I implemented the client, I only added support for the POST operation, which most modern SCEP servers should support. I'm surprised that the MS one does not.
In a POST request, the MESSAGE is in the request body, but in GET it has to be encoded as a URL parameter.
Early SCEP drafts performed all communications via "GET" messages,
including non-idempotent ones that should have been sent via "POST"
messages. This has caused problems because of the way that the
(supposedly) idempotent GET interacts with caches and proxies, and
because the extremely large GET requests created by encoding CMS
messages may be truncated in transit. These issues are typically not
visible when testing on a LAN, but crop up during deployment over
WANs. If the remote CA supports it, any of the CMS [3]-encoded SCEP
messages SHOULD be sent via HTTP POST instead of HTTP GET. This is
allowed for any SCEP message except GetCACert, GetNextCACert, or
GetCACaps, and avoids the need for base64- and URL-encoding that's
required for GET messaging. The client can verify that the CA
supports SCEP messages via POST by looking for the "POSTPKIOperation"
capability (See Section 3.4.2).
section [5.1] of the RFC draft https://tools.ietf.org/html/draft-gutmann-scep-02#section-5.1
I will try to add support for GET request messages for the client.
from scep.
groob
commented on August 11, 2024
Jesse closed this one, but there's bigger issues with NDES =)
from scep.
Related Issues (20)
- Building on Ubuntu and running on Docker Alpine results in "no such file or directory" HOT 3
- Revocation Endpoint HOT 2
- Feature Request - Adding Key Attributes to CSR (SCEP Client) HOT 1
- github.com/boltdb/bolt switch to github.com/etcd-io/bbolt? HOT 1
- Openssl revoke doesn't work with index.txt HOT 2
- Is it possible to configure SCEP to get certificate from Let's Encrypt? HOT 2
- docker server not start with PKCS#8 key HOT 1
- TestGenerateSubjectKeyID fails HOT 1
- Official Release? HOT 1
- Juniper SRX Compatibility HOT 3
- Enrollment from CISCO Router HOT 6
- Implementing PKCS11 HOT 2
- DES default
- Proxy Implementation HOT 2
- Custom SCEP Client works for NDES, not GO SCEP Server HOT 18
- Compatibility with OpenXPKI HOT 1
- support SM2 ? HOT 4
- Include challenge password into CSR HOT 1
- Unable to enroll second device after enrolling one device (with nanomdm) HOT 5
- SCEP Server Error : "failed to sign CSR" HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scep.