Bug in OpenSSL; OCSP-responder

dirksmit — Fri, 25 Oct 2019 08:58:03 GMT

We found out that the OCSP-responder for our local customer PKI in the ISE did not work due to a bug in the OpenSSL version used by ISE. Because the OpenSSL version used does not include a Host-header, the Windows 2016-based OCSP server responds with a 302 status code and an invalid redirect instead of an OCSP response. We finally fixed this on the load balancer by injecting a Host header with the correct value in the absence of a Host header for an OCSP request. It concerns the following bug in OpenSSL: https://github.com/openssl/openssl/issues/1986. The bug is 'fixed' in OpenSSL 1.0.2 by adding information about it in the documentation. From version 1.1.0 an actual fix has been implemented with the OCSP client sending a Host-header in the request. Is Cisco planning to upgrade OpenSSL to a newer version any time soon? I didn't find anything about this bug, but there are certainly more customers with similar problems.

Re: Bug in OpenSSL; OCSP-responder

Jason Kunst — Fri, 25 Oct 2019 09:09:19 GMT

Please make sure you log a tac case with a bug id (and reference here) so they can get this to engineering and they will fix accordingly, this is not TAC and to discuss future fixes unforutunately.

topic Re: Bug in OpenSSL; OCSP-responder in Network Access Control

Bug in OpenSSL; OCSP-responder

Re: Bug in OpenSSL; OCSP-responder