We found out that the OCSP-responder for our local customer PKI in the ISE did not work due to a bug in the OpenSSL version used by ISE. Because the OpenSSL version used does not include a Host-header, the Windows 2016-based OCSP server responds with a 302 status code and an invalid redirect instead of an OCSP response. We finally fixed this on the load balancer by injecting a Host header with the correct value in the absence of a Host header for an OCSP request. It concerns the following bug in OpenSSL: https://github.com/openssl/openssl/issues/1986. The bug is 'fixed' in OpenSSL 1.0.2 by adding information about it in the documentation. From version 1.1.0 an actual fix has been implemented with the OCSP client sending a Host-header in the request. Is Cisco planning to upgrade OpenSSL to a newer version any time soon? I didn't find anything about this bug, but there are certainly more customers with similar problems.
Please make sure you log a tac case with a bug id (and reference here) so they can get this to engineering and they will fix accordingly, this is not TAC and to discuss future fixes unforutunately.
Please make sure you log a tac case with a bug id (and reference here) so they can get this to engineering and they will fix accordingly, this is not TAC and to discuss future fixes unforutunately.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
