cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

182
Views
5
Helpful
1
Replies
Highlighted
Beginner

Bug in OpenSSL; OCSP-responder

We found out that the OCSP-responder for our local customer PKI in the ISE did not work due to a bug in the OpenSSL version used by ISE. Because the OpenSSL version used does not include a Host-header, the Windows 2016-based OCSP server responds with a 302 status code and an invalid redirect instead of an OCSP response. We finally fixed this on the load balancer by injecting a Host header with the correct value in the absence of a Host header for an OCSP request. It concerns the following bug in OpenSSL: https://github.com/openssl/openssl/issues/1986. The bug is 'fixed' in OpenSSL 1.0.2 by adding information about it in the documentation. From version 1.1.0 an actual fix has been implemented with the OCSP client sending a Host-header in the request. Is Cisco planning to upgrade OpenSSL to a newer version any time soon? I didn't find anything about this bug, but there are certainly more customers with similar problems.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Bug in OpenSSL; OCSP-responder

Please make sure you log a tac case with a bug id (and reference here) so they can get this to engineering and they will fix accordingly, this is not TAC and to discuss future fixes unforutunately.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Re: Bug in OpenSSL; OCSP-responder

Please make sure you log a tac case with a bug id (and reference here) so they can get this to engineering and they will fix accordingly, this is not TAC and to discuss future fixes unforutunately.

View solution in original post