Re: CRL test issue

bern81 · ‎10-16-2020

Hi,

We are testing cert revocation check for our anycoonect SSL vpn employees when they connect via cert only authentication.

We pointed the trust point to make crl checks and assigned the url for the location of the CRL file on the CA.

cache refresh time: 60 min

enforce next crl update checked.

everything works fine, when users try to connect a revocation check is done.

but when the 60 min expires the CRL is removed from the cache, so when someone tries to connect ,the CRL is downloaded in the cache but the cert is not checked! so even revocked cert is allowed.

The second user who tries to authenticate get a revocation check since the CRL is already in cache.

I get the following logs:

Oct 15 2020 16:24:49: %ASA-7-717029: Identified client certificate within certificate chain. serial number: 7900002788233E9B1A8E772D4B000000002788, subject name: cn=DEN10XXX,ou=W10,ou=Laptops,ou=xx,dc=XXX,dc=biz.
Oct 15 2020 16:24:49: %ASA-7-717030: Found a suitable trustpoint CandA-Global-Internal-Client-CA to validate certificate.
Oct 15 2020 16:24:49: %ASA-7-717024: Checking CRL from trustpoint: XXX-Trust-point for an optional CRL check. CRL will be cached for the next CRL check.
Oct 15 2020 16:24:49: %ASA-6-717022: Certificate was successfully validated. serial number: XXXXXXXXXXXXXX788, subject name: cn=DEN10XXX,ou=W10,ou=Laptops,ou=xx,dc=xxx,dc=biz.
Oct 15 2020 16:24:49: %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

now as per cisco books:

The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.

When the ASA has cached a CRL for longer than the amount of time it is configured to cache CRLs, the ASA considers the CRL too old to be reliable, or “stale.” The ASA tries to retrieve a newer version of the CRL the next time that a certificate authentication requires a check of the stale CRL.

Is that behaviour correc tor it is a bug ?

kindly advise

Aref Alsouqi · ‎10-18-2020

If CRL revocation check is configured on the trust point used for authentication, the ASA should retrieve the expired/staled certificate next time it needs to validate the connected client certificate. Share please the sanitized configs for review.

bern81 · ‎10-19-2020

Hi Aref,

As stated in my initial post, the trustpoint is already configured for CRL check.

The issue is occuring when the CRL cache is staled and a client tries to connect, the CRL is retrieved from the CA but CRL check becomes optional first time.

Second client who tries to connect gets CRL revocation check.

Please find attached the config.

Aref Alsouqi · ‎10-20-2020

Looks like a bug from the sound of it. I would check on Cisco bug search tool if there is any reported bug that might cause this behaviour.

bern81 · ‎10-21-2020

Thanks Aref,

I will wait for your feedback

Also i noticed another issue, since i configured 2 URLs for the CRLS,

The firewall is only caching the first one in the sequence and not checking at all the second CRL as written in the books.

Now i have changed from 9.12 to 9.14(1) version and run into another issue that the CRL config is wiped out because in this version u need to create cert mapping for the URLs .

Anyone else have this issue ?

Aref Alsouqi · ‎10-21-2020

Post those configs please, and I will try to try them on a 9.14 ASA.

bern81 · ‎10-21-2020

Hi Aref,

quick update, the CRL revocation is now working fine as expected in my first post (if crl cache is empty and user tries to connect, ASA downloads the CRL AND check if cert is revoked!).

So as u expected it seems it was a bug in 9.12.

But now i tried to create cert mapping for URLs, it is not working!

One other weird configuration in 9.14 is the presence of 2 times (check cert for revocation) (see pictures).

Also for some reason the check button for "Consider certificate valid if revocation information cannot be retrieved " is getting unchecked on its own! which is very dangerous as it could block legitimit certs. (also i am not able to find the command to configure it via cli)

Aref Alsouqi · ‎10-21-2020

Glad we are a step ahead. For the greyed option, I think what you can do is to remove the CRL from the right pane, disable the Consider certificate valid .... and then add the CRL again. If you want to do this from CLI, the command would be revocation-check crl under the trust point.

bern81 · ‎10-21-2020

Hi Aref,

I am also glad that we are moving forward

What i would like to perform is a fail open (if for some reason the CA server is not reacheable, i want to allow all certificates).

in previous version it was via:

revocation-check crl none.

now with this version:

(config-ca-trustpoint)# revocation-check crl none
WARNING: 'revocation-check none' can no longer be used with
'revocation-check crl' or 'revocation-check ocsp'.
Therefore ignoring it for trustpoint-X.

Where you able to figure out how to configure the static urls ?

I tried but it is not working.

Aref Alsouqi · ‎10-21-2020

That would explain why that option is greyed out then. Indeed, on Cisco documentation for 9.14 it clearly states that the command revocation-check crl none was removed. At this point I am not really sure how you can bypass the check if the CA is not reachable.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/basic-certs.html

What are the URLs configs you are trying to apply? post an example here please.

j.a.m.e.s · ‎02-23-2022

I'm also looking for an option for the CRL check to "fail open" and didn't find it in v9.14.

I increased cache-time 1400 (1 day between CRL caches) in the hope of avoiding maintenance/key renewal activities on our CRL hosts.

Perhaps OCSP is the way to go?