cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
0
Replies

Cisco ASA Unable to parse CRL

Kliwer
Level 1
Level 1

Hi.

I am trying to setup CRL on ASA 9.20 on Cisco Firepower 1010 but when trying to request crl I get "Unable to parse CRL".

I tried PEM and DER, always the same.

debug crypto ca 14 gives:

 

 

PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:189
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_policy_query, pki_ossl_policy.c:620
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[12]: do_get_crl, pki_ossl_revocation.c:85
PKI[9]: starting CRL FSM #0
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_InitTransaction
PKI[12]: get_cdps, pki_crl_fsm_act.c:202
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crypto_build_crldp_list, pki_ossl_crl_cache.c:326
PKI[12]: getCrldpOverride, pki_ossl_crl_cache.c:259
PKI[7]: Attempting to find CRL DP override for peer cert: serial number: 1000, subject name: CN=Testlab Intermediate CA,O=Testlab,ST=xxx,C=XX, issuer_name: CN=Testlab Root CA,O=Testlab,L=XXX,ST=xxx,C=XX.
PKI[7]: Processing map rules for DefaultCertificateMap.
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[7]: Processing map DefaultCertificateMap sequence 10...
PKI[7]: Match of subject-name attr field to map PASSED. Peer cert field: o = Testlab, map rule: subject-name  attr o eq testlab.
PKI[7]: Peer cert has been authorized by map: DefaultCertificateMap sequence: 10.
PKI[7]: Found CRL DP override match. Override URL: http://testlab.local/intermediate.crl.pem, Override trustpoint: ASDM-OF4
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[7]: Trustpoint: ASDM-OF4, Override URL: http://testlab.local/intermediate.crl.pem, CDP URL Type: 1, allowed: 1
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[13]: add_to_list, pki_ossl_crl_cache.c:197
PKI[13]: add_node_to_list, pki_ossl_crl_cache.c:170
PKI[7]: Processing map rules for DefaultCertificateMap.
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[14]: pki_ossl_get_name_string_flag, pki_ossl.c:314
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[12]: asn1_to_unix_time, crypto_pki.c:1430
PKI[7]: Processing map DefaultCertificateMap sequence 10...
PKI[7]: Match of subject-name attr field to map PASSED. Peer cert field: o = Testlab, map rule: subject-name  attr o eq testlab.
PKI[7]: Peer cert has been authorized by map: DefaultCertificateMap sequence: 10.
PKI[7]: Found CRL DP override match. Override URL: http://testlab.local/intermediate.crl.der, Override trustpoint: ASDM-OF4
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[7]: Trustpoint: ASDM-OF4, Override URL: http://testlab.local/intermediate.crl.der, CDP URL Type: 1, allowed: 1
PKI[14]: url_type_allowed, pki_ossl_crl_cache.c:153
PKI[13]: add_to_list, pki_ossl_crl_cache.c:197
PKI[13]: add_node_to_list, pki_ossl_crl_cache.c:170
PKI[7]: cdp: (len=53, type=URI, prot=HTTP) http://testlab.local/intermediate.crl.pem
PKI[7]: cdp: (len=53, type=URI, prot=HTTP) http://testlab.local/intermediate.crl.der
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_InitTransaction, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[12]: crldl_cdp_blacklisted, pki_ossl_crl.c:831
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: CDP blacklist time has elapsed
PKI[12]: crldp_remove_pending_download, pki_ossl_crl.c:798
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Request
PKI[13]: crldp_download_pending, pki_ossl_crl.c:641
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[8]: session 0x10e7a773 adding pending CRL entry for cert 0
PKI[12]: crldp_add_pending_download, pki_ossl_crl.c:660
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: retrieve_crl, pki_crl_fsm_act.c:233
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[7]: CDP type HTTP
PKI[7]: getting http://testlab.local/intermediate.crl.pem
PKI[12]: pki_ossl_crl_build_http_io, pki_ossl_crl.c:469
PKI[13]: pki_parse_uri, pki_ossl_uri.c:75
PKI[14]: pki_uri_map_protocol, pki_ossl_uri.c:17
PKI[14]: pki_uri_get_port, pki_ossl_uri.c:34
PKI[13]: pki_free_uri, pki_ossl_uri.c:57
PKI[11]: pki_crl_request_send_async, pki_ossl_crl.c:78
PKI[8]: [15] IOCB allocated
PKI[7]: PKI CRL I/O request queue result: IO_STATUS_QUEUED
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Request, Return status: 0
PKI[8]: [15] Received IO request msg
PKI[8]: [15] DNS resolve issued for testlab.local
PKI[7]: [15] DNS resolve testlab.local (xxx.xxx.xxx.xxx)
PKI[8]: [15] Socket open success
PKI[8]: [15] IPv4 Route lookup to xxx.xxx.xxx.xxx use interface outside
PKI[8]: [15] Connect sent to xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy
PKI[12]: pki_io_cbfunc_log_revocation_check, pki_ossl_revocation.c:421
PKI[7]: 6717056: Attempting CRL revocation check from outside:yyy.yyy.yyy.yyy/60720 to xxx.xxx.xxx.xxx/80 using HTTP.
PKI[8]: [15] Received Socket transmit ready msg
PKI[10]:
----- Begin Data Type:HTTP Request [15]
 Length: 70 -----
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  GET /intermed
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  iate.crl.pem HTT
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  P/1.0..Host: tes
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  tlab.local.
aa aa aa aa aa aa                                  |  ......
PKI[10]: ----- End Data Type:HTTP Request [15]
 Length: 70 -----
PKI[8]: [15] Sent 70 bytes
PKI[8]: [15] Received Socket read ready msg
PKI[8]: [15] read 480 bytes
PKI[8]: [15] No data to read
PKI[8]: [15] Received Socket read ready msg
PKI[8]: [15] Read EOF
PKI[12]: pki_io_cbfunc, pki_crl_fsm_act.c:59
PKI[7]: Callback received for vcid: 0, sess_id: 0x10e7a773, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 480
PKI[13]: get_fsm_data, pki_ossl_revocation.c:446
PKI[7]: [15] IOCB freed
PKI[13]: CERT_API_QueueFSMEvent, vpn3k_cert_api.c:89
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2509
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2407
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2342
PKI[8]: process msg cmd=2, session=0x10e7a773
PKI[9]: Async locked for session 0x10e7a773
PKI[11]: pki_notify_fsm_evt, pki_ossl_revocation.c:56
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_ProcessResp
PKI[13]: pki_ossl_util_find_http_payload, pki_ossl_utils.c:36
PKI[8]: Received CRL of length 238 for session 0x10e7a773, cert idx 0
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crl_add_to_cache, pki_ossl_crl_cache.c:1166
PKI[12]: pki_ossl_crypto_verify_and_insert_crl, pki_ossl_crl_cache.c:1115
PKI[12]: pki_ossl_insert_der_crl_int, pki_ossl_crl_cache.c:1013
PKI[4]: Unable to parse CRL
PKI[4]: Unable to cache CRL
PKI[4]: Unable to cache CRL
PKI[12]: crldl_notify_result, pki_ossl_crl.c:761
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: crl is being blacklisted
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_ProcessResp, Return status: 2
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[12]: crldl_cdp_blacklisted, pki_ossl_crl.c:831
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: CDP blacklist time has elapsed
PKI[12]: crldp_remove_pending_download, pki_ossl_crl.c:798
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Request
PKI[13]: crldp_download_pending, pki_ossl_crl.c:641
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[8]: session 0x10e7a773 adding pending CRL entry for cert 0
PKI[12]: crldp_add_pending_download, pki_ossl_crl.c:660
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: retrieve_crl, pki_crl_fsm_act.c:233
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[7]: CDP type HTTP
PKI[7]: getting http://testlab.local/intermediate.crl.der
PKI[12]: pki_ossl_crl_build_http_io, pki_ossl_crl.c:469
PKI[13]: pki_parse_uri, pki_ossl_uri.c:75
PKI[14]: pki_uri_map_protocol, pki_ossl_uri.c:17
PKI[14]: pki_uri_get_port, pki_ossl_uri.c:34
PKI[13]: pki_free_uri, pki_ossl_uri.c:57
PKI[11]: pki_crl_request_send_async, pki_ossl_crl.c:78
PKI[8]: [16] IOCB allocated
PKI[7]: PKI CRL I/O request queue result: IO_STATUS_QUEUED
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Request, Return status: 0
PKI[9]: Async unlocked for session 0x10e7a773
PKI[8]: [16] Received IO request msg
PKI[8]: [16] DNS resolve issued for testlab.local
PKI[9]: CERT API thread sleeps!
PKI[8]: No IOCB found for SOCKET CLOSE message, handle 0xbac2d4e
PKI[7]: [16] DNS resolve stlab.local (xxx.xxx.xxx.xxx)
PKI[8]: [16] Socket open success
PKI[8]: [16] IPv4 Route lookup to xxx.xxx.xxx.xxx use interface outside
PKI[8]: [16] Connect sent to xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyy
PKI[12]: pki_io_cbfunc_log_revocation_check, pki_ossl_revocation.c:421
PKI[7]: 6717056: Attempting CRL revocation check from outside:yyy.yyy.yyy.yyy/48354 to xxx.xxx.xxx.xxx/80 using HTTP.
PKI[8]: [16] Received Socket transmit ready msg
PKI[10]:
----- Begin Data Type:HTTP Request [16]
 Length: 70 -----
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  GET /intermed
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  iate.crl.pem HTT
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  P/1.0..Host: tes
aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa    |  tlab.local.
aa aa aa aa aa aa                                  |  ......
PKI[10]: ----- End Data Type:HTTP Request [16]
 Length: 70 -----
PKI[8]: [16] Sent 70 bytes
PKI[8]: [16] Received Socket read ready msg
PKI[8]: [16] read 480 bytes
PKI[8]: [16] No data to read
PKI[8]: [16] Received Socket read ready msg
PKI[8]: [16] Read EOF
PKI[12]: pki_io_cbfunc, pki_crl_fsm_act.c:59
PKI[7]: Callback received for vcid: 0, sess_id: 0x10e7a773, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 480
PKI[13]: get_fsm_data, pki_ossl_revocation.c:446
PKI[7]: [16] IOCB freed
PKI[13]: CERT_API_QueueFSMEvent, vpn3k_cert_api.c:89
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2509
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2407
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2342
PKI[8]: process msg cmd=2, session=0x10e7a773
PKI[9]: Async locked for session 0x10e7a773
PKI[11]: pki_notify_fsm_evt, pki_ossl_revocation.c:56
PKI[11]: drive_fsm, pki_ossl_revocation.c:33
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_ProcessResp
PKI[13]: pki_ossl_util_find_http_payload, pki_ossl_utils.c:36
PKI[8]: Received CRL of length 238 for session 0x10e7a773, cert idx 0
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:229
PKI[11]: polinfo->name: ASDM-OF4
PKI[11]: tp label: Trustpool
PKI[13]: label: ASDM-OF4
PKI[12]: pki_ossl_crl_add_to_cache, pki_ossl_crl_cache.c:1166
PKI[12]: pki_ossl_crypto_verify_and_insert_crl, pki_ossl_crl_cache.c:1115
PKI[12]: pki_ossl_insert_der_crl_int, pki_ossl_crl_cache.c:1013
PKI[4]: Unable to parse CRL
PKI[4]: Unable to cache CRL
PKI[4]: Unable to cache CRL
PKI[12]: crldl_notify_result, pki_ossl_crl.c:761
PKI[12]: crl_find_pending_crl, pki_ossl_crl.c:612
PKI[13]: get_pending_crl_list, pki_ossl_crl.c:558
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[14]: cmp_cdp_info, pki_ossl_crl.c:578
PKI[7]: crl is being blacklisted
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_ProcessResp, Return status: 2
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_NextCDP
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_NextCDP, Return status: 1
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Error
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Error, Return status: 0
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: In PKICRL_Callback
PKI[7]: session 283617139 and cert_idx 0 rev_status 7
PKI[8]: [Sess: 0x10e7a773, Cert: 0] FSM: PKICRL_Callback, Return status: 0
PKI[9]: Async unlocked for session 0x10e7a773
PKI[9]: CRL download status 7
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:250
PKI[13]: free_fsm_data, pki_ossl_revocation.c:225
PKI[13]: ocsp_free_fsmdata, pki_ossl_ocsp.c:1447
PKI[9]: CERT API thread sleeps!
PKI[8]: No IOCB found for SOCKET CLOSE message, handle 0x1176caa

 

 

My local CA is setup according to this guide: https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html

What can I do to make it work?

0 Replies 0