We are testing cert revocation check for our anycoonect SSL vpn employees when they connect via cert only authentication.
We pointed the trust point to make crl checks and assigned the url for the location of the CRL file on the CA.
cache refresh time: 60 min
enforce next crl update checked.
everything works fine, when users try to connect a revocation check is done.
but when the 60 min expires the CRL is removed from the cache, so when someone tries to connect ,the CRL is downloaded in the cache but the cert is not checked! so even revocked cert is allowed.
The second user who tries to authenticate get a revocation check since the CRL is already in cache.
I get the following logs:
now as per cisco books:
The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.
When the ASA has cached a CRL for longer than the amount of time it is configured to cache CRLs, the ASA considers the CRL too old to be reliable, or “stale.” The ASA tries to retrieve a newer version of the CRL the next time that a certificate authentication requires a check of the stale CRL.
Is that behaviour correc tor it is a bug ?
If CRL revocation check is configured on the trust point used for authentication, the ASA should retrieve the expired/staled certificate next time it needs to validate the connected client certificate. Share please the sanitized configs for review.
As stated in my initial post, the trustpoint is already configured for CRL check.
The issue is occuring when the CRL cache is staled and a client tries to connect, the CRL is retrieved from the CA but CRL check becomes optional first time.
Second client who tries to connect gets CRL revocation check.
Please find attached the config.
I will wait for your feedback
Also i noticed another issue, since i configured 2 URLs for the CRLS,
The firewall is only caching the first one in the sequence and not checking at all the second CRL as written in the books.
Now i have changed from 9.12 to 9.14(1) version and run into another issue that the CRL config is wiped out because in this version u need to create cert mapping for the URLs .
Anyone else have this issue ?
quick update, the CRL revocation is now working fine as expected in my first post (if crl cache is empty and user tries to connect, ASA downloads the CRL AND check if cert is revoked!).
So as u expected it seems it was a bug in 9.12.
But now i tried to create cert mapping for URLs, it is not working!
One other weird configuration in 9.14 is the presence of 2 times (check cert for revocation) (see pictures).
Also for some reason the check button for "Consider certificate valid if revocation information cannot be retrieved " is getting unchecked on its own! which is very dangerous as it could block legitimit certs. (also i am not able to find the command to configure it via cli)
Glad we are a step ahead. For the greyed option, I think what you can do is to remove the CRL from the right pane, disable the Consider certificate valid .... and then add the CRL again. If you want to do this from CLI, the command would be revocation-check crl under the trust point.
I am also glad that we are moving forward
What i would like to perform is a fail open (if for some reason the CA server is not reacheable, i want to allow all certificates).
in previous version it was via:
revocation-check crl none.
now with this version:
(config-ca-trustpoint)# revocation-check crl none
WARNING: 'revocation-check none' can no longer be used with
'revocation-check crl' or 'revocation-check ocsp'.
Therefore ignoring it for trustpoint-X.
Where you able to figure out how to configure the static urls ?
I tried but it is not working.
That would explain why that option is greyed out then. Indeed, on Cisco documentation for 9.14 it clearly states that the command revocation-check crl none was removed. At this point I am not really sure how you can bypass the check if the CA is not reachable.
What are the URLs configs you are trying to apply? post an example here please.