Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2663
Views
5
Helpful
5
Replies

ASA - Pen test "We were unable to validate the certificate chain provided by this service"

Andrew White
Level 2
Level 2

‎10-01-2018 03:32 AM - edited ‎02-21-2020 08:18 AM

Hello,

 

We have a valid certificate installed on our ASA 5516x's (Pair) for our VPN users, but I've recently scanned them and get an error in the report regarding the certificate

 

"We were unable to validate the certificate chain provided by this service"

 

If the certificate is expired please renew the certificate.

If the "Gathered Information" section does not contain a valid host name for the target, please add the host name to the target configuration.

If the certificate chain could not be resolved to a trust anchor, please make sure the server passes the complete certificate chain up until a trust anchor. If the chain is still not verified and you are using an internal certificate authority, please add the certificates of that authority to the scan policy.

If the certificate is not signed by a valid authority, please consider buying a trusted certificate or implementing your own public key infrastructure.
Reconfigure
SSL/TLS
No CVE
No bugtraq

 

I've had a look via the ASDM and it looks ok, just wondered what your thoughts are?

 

Thanks

0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-01-2018 03:47 AM

If the users are not receiving an error when they access the ASA via the FQDN, then you are probably ok. There is a still a possibility of the scan tool not having the intermediate cert in their trusted cert section (while your users may have this). The best practice is to have all the CA certificates imported on the ASA so that it sends the full chain to the client/scan tool. The client then only needs to have the root certificate in its certificate store to validate the chain. Also, the scan tool should access the ASA via FQDN in order for you to validate this correctly. You can run a free check against the Qualys SSL checker to see if your external cert infrastructure is correct:

 

https://www.ssllabs.com/ssltest/

 

Andrew White
Level 2
Level 2
In response to Rahul Govindan

‎10-01-2018 05:52 AM - edited ‎10-01-2018 05:54 AM

Thanks, I ran that tool and scored a "B".

 

Server Key and Certificate #1
 
Subject
Fingerprint SHA256: d27e954c0fdc825525tsh56ea6402f12ee08251a37fddc27b75
Pin SHA256: PZxB3C/nx2KGovP9dfhghKVt/SkYAzw8IfwwR0=
Common names  hidding
Alternative names  hidding
Serial Number  hidding
Valid from Wed, 15 Mar 2017 00:00:00 UTC
Valid until Thu, 12 Mar 2020 23:59:59 UTC (expires in 1 year and 5 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Trusted Secure Certificate Authority 5 
AIA: http://crt.usertrust.com/TrustedSecureCertificateAuthority5.crt 
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information CRL, OCSP 
CRL: http://crl.usertrust.com/TrustedSecureCertificateAuthority5.crl 
OCSP: http://ocsp.usertrust.com 
Revocation status Good (not revoked)
DNS CAA No (more info)

 

Certificates provided 1 (1507 bytes)
Chain issues Incomplete

 

Plus some DH weakness to add to the mix

 

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK

 

What do you think?
0 Helpful

Andrew White
Level 2
Level 2

‎10-01-2018 05:56 AM

Ran that tool and got a score of "B"

 

Valid from Wed, 15 Mar 2017 00:00:00 UTC
Valid until Thu, 12 Mar 2020 23:59:59 UTC (expires in 1 year and 5 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Trusted Secure Certificate Authority 5 
AIA: http://crt.usertrust.com/TrustedSecureCertificateAuthority5.crt 
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information CRL, OCSP 
CRL: http://crl.usertrust.com/TrustedSecureCertificateAuthority5.crl 
OCSP: http://ocsp.usertrust.com 
Revocation status Good (not revoked)
DNS CAA No (more info)
Trusted Yes 
Mozilla  Apple  Android  Java  Windows 



Additional Certificates (if supplied)
 
Certificates provided 1 (1507 bytes)
Chain issues Incomplete

 

Plus some DH weakness 

 

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

 

What do you think?

0 Helpful

Andrew White
Level 2
Level 2

‎10-01-2018 08:53 AM - edited ‎10-01-2018 08:55 AM

Hello, These are my results attached with a score of B

Preview file
53 KB
Preview file
23 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Andrew White

‎10-03-2018 07:07 PM

I think the most important feedback is this:

Additional Certificates (if supplied)
 
Certificates provided 1 (1507 bytes)
Chain issues Incomplete

 

Do you have the output of "show crypto ca certificate" and "show run ssl" that you can share?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card