Failed to parse HTTP OCSP response RA-VPN cert revocation

the-lebowski · ‎12-19-2024

I have this working on a pair of 2110s running 9.18(4)47. However, trying to get this working in my dev environment of HA 5545s running 9.14(4)23. The error I get on the 5545s using the exact same CA/user-cert(s)/config and trying to check for revocation as I am on the 2110s is this below.

Same inside/outside networks between both pairs, connectivity/DNS working but the only real difference is the version of code.

Failed 5545s:

PKI[7]: PKI OCSP I/O request queue result: IO_STATUS_QUEUED
PKI[7]: Successfully sent OCSP request to I/O
PKI[7]: Chain revocation status: good: 0, exempt: 0, cached: 0, revoked: 0, error: 0, pending: 1, fail-allow: 0
PKI[7]: [25] DNS resolve <mydomainhere.net (20.11.11.11)
PKI[7]: 6717056: Attempting OSCP revocation check from outside:8.39.156.99/1012 to 20.11.11.11/80 using HTTP.
PKI[7]: OCSP I/O callback received for vcid: 0, sess_id: 0x6c393853, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 2801
PKI[7]: [25] IOCB freed
PKI[7]: OCSP rsp pre-process for cert index 0 URL http://<mydomainhere.net/ocsp status: IO_STATUS_OK
PKI[7]: Parsing OCSP ASN.1 response data, len 2667
PKI[4]: Failed to parse HTTP OCSP response from http://<mydomainhere.net/ocsp
PKI[1]: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag in tasn_dec.c line 1226.
PKI[1]: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error in tasn_dec.c line 392.
PKI[1]: error data: Type=OCSP_RESPONSE
PKI[4]: registering failed OCSP URL: http://<mydomainhere>.net/ocsp
PKI[4]: No more AIAs found to try
....................
PKI[7]: session 0x6c393853, Revocation check complete with errors, Allowing based on configured policy

Success 2110s:

PKI[7]: PKI OCSP I/O request queue result: IO_STATUS_QUEUED
PKI[7]: Successfully sent OCSP request to I/O
PKI[7]: Chain revocation status: good: 0, exempt: 0, cached: 0, revoked: 0, error: 0, pending: 1, fail-allow: 0
PKI[7]: [4] DNS resolve <mydomain>.net (20.11.11.11)
.....................................
PKI[7]: OCSP I/O callback received for vcid: 0, sess_id: 0x26ac1bcf, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 2861
PKI[7]: [4] IOCB freed
PKI[7]: OCSP rsp pre-process for cert index 0 URL http://<mydomain>.net/ocsp status: IO_STATUS_OK
PKI[7]: Parsing OCSP ASN.1 response data, len 2325
PKI[7]: Successfully received response
PKI[7]: Process OCSP response for cert index 0 URL http://<mydomain>.net/ocsp
PKI[7]: Verified nonce in OCSP response
PKI[7]: Verified OCSP basic response

2110s:

crypto ca trustpoint man-CA
 revocation-check ocsp none
 enrollment terminal
 enrollment interface outside
 ocsp interface outside url http://<mydomainhere>.net/ocsp
 crl configure
  policy static
  cache-time 5
  no protocol ldap

5545s:

crypto ca trustpoint man-trust
 revocation-check ocsp none
 enrollment terminal
 enrollment interface outside
 validation-usage ssl-client
 ocsp interface outside url http:/<mydomainhere>.net/ocsp
 crl configure
  policy static
  cache-time 5
  no protocol ldap

Flavio Miranda · ‎12-19-2024

@the-lebowski

Try this way.

5545s:

crypto ca trustpoint man-trust
 revocation-check ocsp none
 enrollment terminal
 enrollment interface outside
 no validation-usage ssl-client
 ocsp interface outside url http:/<mydomainhere>.net/ocsp
 crl configure
  policy static
  cache-time 5
  no protocol ldap

the-lebowski · ‎12-19-2024

How is that any different than I have it now?

crypto ca trustpoint man-trust
 revocation-check ocsp none
 enrollment terminal
 enrollment interface outside
 validation-usage ssl-client
 ocsp interface outside url http://<mydomainhere>.net/ocsp
 crl configure
  policy static
  cache-time 5
  no protocol ldap

Flavio Miranda · ‎12-19-2024

 no validation-usage ssl-client

Which, by the way, you dont use on your success scenario

the-lebowski · ‎12-19-2024

Ahh ok, that is just a setting to say whether you check for revocation against an SSL vs ikev1 client. Makes no difference if its checked or not as I get the exact same error. Maybe something to do with supported protocols/encryption? Or lack thereof in the older code?

Also looks like from the 5545s I get a 404 not found in the response, vs the 200 OK from the 2110s. Looking at the DEBUGs I see PKI[10] right before the OCSP response on the 2110s but no PKI[10] before the response on the 5545s. On the 5545s its [PKI]7 but whether that matters or not I don't know.

Flavio Miranda · ‎12-19-2024

@the-lebowski

"Maybe something to do with supported protocols/encryption? Or lack thereof in the older code?"

Basically it should not validate protocol right. First, this is going over a non-encrypted call using HTTP, which is weird but that´s fine if cisco allow this, second, this call should be to validate the certificate revogation and will not exchange certificate.

Flavio Miranda · ‎12-19-2024

@the-lebowski

This actually envolve protocol. Take a look on this Bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz03524

the-lebowski · ‎12-23-2024

Yeah not sure that applies here but seeing as this is our dev/test I am not too worried about it. It would be nice to have it working there but it seems some issue in that version of code that doesn't like the OCSP response while newer code has no problem with it.