12-19-2024 12:51 PM - edited 12-19-2024 12:55 PM
I have this working on a pair of 2110s running 9.18(4)47. However, trying to get this working in my dev environment of HA 5545s running 9.14(4)23. The error I get on the 5545s using the exact same CA/user-cert(s)/config and trying to check for revocation as I am on the 2110s is this below.
Same inside/outside networks between both pairs, connectivity/DNS working but the only real difference is the version of code.
Failed 5545s:
PKI[7]: PKI OCSP I/O request queue result: IO_STATUS_QUEUED
PKI[7]: Successfully sent OCSP request to I/O
PKI[7]: Chain revocation status: good: 0, exempt: 0, cached: 0, revoked: 0, error: 0, pending: 1, fail-allow: 0
PKI[7]: [25] DNS resolve <mydomainhere.net (20.11.11.11)
PKI[7]: 6717056: Attempting OSCP revocation check from outside:8.39.156.99/1012 to 20.11.11.11/80 using HTTP.
PKI[7]: OCSP I/O callback received for vcid: 0, sess_id: 0x6c393853, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 2801
PKI[7]: [25] IOCB freed
PKI[7]: OCSP rsp pre-process for cert index 0 URL http://<mydomainhere.net/ocsp status: IO_STATUS_OK
PKI[7]: Parsing OCSP ASN.1 response data, len 2667
PKI[4]: Failed to parse HTTP OCSP response from http://<mydomainhere.net/ocsp
PKI[1]: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag in tasn_dec.c line 1226.
PKI[1]: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error in tasn_dec.c line 392.
PKI[1]: error data: Type=OCSP_RESPONSE
PKI[4]: registering failed OCSP URL: http://<mydomainhere>.net/ocsp
PKI[4]: No more AIAs found to try
....................
PKI[7]: session 0x6c393853, Revocation check complete with errors, Allowing based on configured policy
Success 2110s:
PKI[7]: PKI OCSP I/O request queue result: IO_STATUS_QUEUED
PKI[7]: Successfully sent OCSP request to I/O
PKI[7]: Chain revocation status: good: 0, exempt: 0, cached: 0, revoked: 0, error: 0, pending: 1, fail-allow: 0
PKI[7]: [4] DNS resolve <mydomain>.net (20.11.11.11)
.....................................
PKI[7]: OCSP I/O callback received for vcid: 0, sess_id: 0x26ac1bcf, cert_idx: 0, status: IO_STATUS_OK(1), datalen: 2861
PKI[7]: [4] IOCB freed
PKI[7]: OCSP rsp pre-process for cert index 0 URL http://<mydomain>.net/ocsp status: IO_STATUS_OK
PKI[7]: Parsing OCSP ASN.1 response data, len 2325
PKI[7]: Successfully received response
PKI[7]: Process OCSP response for cert index 0 URL http://<mydomain>.net/ocsp
PKI[7]: Verified nonce in OCSP response
PKI[7]: Verified OCSP basic response
2110s:
crypto ca trustpoint man-CA
revocation-check ocsp none
enrollment terminal
enrollment interface outside
ocsp interface outside url http://<mydomainhere>.net/ocsp
crl configure
policy static
cache-time 5
no protocol ldap
5545s:
crypto ca trustpoint man-trust
revocation-check ocsp none
enrollment terminal
enrollment interface outside
validation-usage ssl-client
ocsp interface outside url http:/<mydomainhere>.net/ocsp
crl configure
policy static
cache-time 5
no protocol ldap
12-19-2024 01:05 PM
Try this way.
5545s:
crypto ca trustpoint man-trust
revocation-check ocsp none
enrollment terminal
enrollment interface outside
no validation-usage ssl-client
ocsp interface outside url http:/<mydomainhere>.net/ocsp
crl configure
policy static
cache-time 5
no protocol ldap
12-19-2024 01:14 PM - edited 12-19-2024 01:14 PM
How is that any different than I have it now?
crypto ca trustpoint man-trust
revocation-check ocsp none
enrollment terminal
enrollment interface outside
validation-usage ssl-client
ocsp interface outside url http://<mydomainhere>.net/ocsp
crl configure
policy static
cache-time 5
no protocol ldap
12-19-2024 01:15 PM
no validation-usage ssl-client
Which, by the way, you dont use on your success scenario
12-19-2024 01:27 PM - edited 12-19-2024 01:45 PM
Ahh ok, that is just a setting to say whether you check for revocation against an SSL vs ikev1 client. Makes no difference if its checked or not as I get the exact same error. Maybe something to do with supported protocols/encryption? Or lack thereof in the older code?
Also looks like from the 5545s I get a 404 not found in the response, vs the 200 OK from the 2110s. Looking at the DEBUGs I see PKI[10] right before the OCSP response on the 2110s but no PKI[10] before the response on the 5545s. On the 5545s its [PKI]7 but whether that matters or not I don't know.
12-19-2024 01:38 PM
"Maybe something to do with supported protocols/encryption? Or lack thereof in the older code?"
Basically it should not validate protocol right. First, this is going over a non-encrypted call using HTTP, which is weird but that´s fine if cisco allow this, second, this call should be to validate the certificate revogation and will not exchange certificate.
12-19-2024 01:42 PM
This actually envolve protocol. Take a look on this Bug
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz03524
12-23-2024 08:02 AM
Yeah not sure that applies here but seeing as this is our dev/test I am not too worried about it. It would be nice to have it working there but it seems some issue in that version of code that doesn't like the OCSP response while newer code has no problem with it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide