Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
0
Replies

OSCP CRL request not working!!!

tim dyck
Level 1
Level 1

‎03-26-2015 02:07 PM

Hello, I have a Cisco router that I am trying to get a certificate based VPN working on, I have most of the parts working correctly, however I would like to have OCSP crl lookup working. however everytime I go to do a CRL lookup I get this error:

 

*Mar 26 17:54:22.209: CRYPTO_PKI: Removing cached pubkeys for CRL issuer
*Mar 26 17:54:22.209: CRYPTO_PKI: create new ca_req_context type PKI_POLL_CRL_CONTEXT,ident 42
*Mar 26 17:54:22.209: CRYPTO_PKI: (0)Retreive CRL using HTTP URI
*Mar 26 17:54:22.209: CRYPTO_PKI: Bypassing SCEP capabilities request 0
*Mar 26 17:54:22.209: CRYPTO_PKI: (0) Requesting CRL at http://192.168.4.104:8080:

*Mar 26 17:54:22.209: CRYPTO_PKI: (0) Fetch 0

*Mar 26 17:54:22.209: CRYPTO_PKI: locked trustpoint OPENSSL, refcount is 1
*Mar 26 17:54:22.213: CRYPTO_PKI: http connection opened
*Mar 26 17:54:22.213: CRYPTO_PKI: Sending HTTP message

reda(config)#
*Mar 26 17:54:22.213: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
Host: 192.168.4.104


reda(config)#
*Mar 26 17:54:24.213: CRYPTO_PKI: unlocked trustpoint OPENSSL, refcount is 0
*Mar 26 17:54:24.213: CRYPTO_PKI: Send HTTP header:
GET  HTTP/1.0
Host: 192.168.4.104


*Mar 26 17:54:24.213: CRYPTO_PKI: HTTP data
     47 45 54 20 20 48 54 54 50 2F 31 2E 30 0D 0A 48
     6F 73 74 3A 20 31 39 32 2E 31 36 38 2E 34 2E 31
     30 34 0D 0A 0D 0A 00 00 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00

*Mar 26 17:54:24.213: CRYPTO_PKI: locked trustpoint OPENSSL, refcount is 1
*Mar 26 17:54:24.217: CRYPTO_PKI: unlocked trustpoint OPENSSL, refcount is 0
*Mar 26 17:54:24.217: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0 200 OK
Content-Type: application/ocsp-response
Content-Transfer-Encoding: Binary
Content-Length: 5
Date: Mar 26 17:57:15 2015 GMT
Expires: Mar 26 18:02:15 2015 GMT


*Mar 26 17:54:24.217: CRYPTO_PKI: HTTP header content length is 5 bytes
*Mar 26 17:54:24.217: CRYPTO
reda(config)#_PKI: FETCH IO data 30 03 0A 01 01

*Mar 26 17:54:24.217: CRYPTO_PKI: processing CRYPTO_INSERT_CRL but session id (0) is not valid
*Mar 26 17:54:24.217: CRYPTO_PKI: (0) Verify incoming CRL
*Mar 26 17:54:24.217: ../cert-c/source/crlobj.c(504) : E_BER_ENCODING : invalid encoding format for input data
*Mar 26 17:54:24.217: %PKI-4-CRLINSERTFAIL: Trustpoint "OPENSSL" failed to parse CRL (error 1793:E_BER_ENCODING : invalid encoding format for input data)
*Mar 26 17:54:24.217: CRYPTO_PKI: transaction Unknown completed

 

on the OCSP side I get this error:

 

Network Error while reading Request!

 

I am using cisco 881 routers and my OCSP server is OPENCA OCSPD

 

When I do a wireshark trace of the incomming and outgoing packets on the OCSP server I see a http get request comming in, and a ocsp reply "responseStatus: malformedRequest (1)" going out

 

here is my router configuration

 

reda#show run
Building configuration...

Current configuration : 3985 bytes
!
! Last configuration change at 18:04:27 UTC Thu Mar 26 2015
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname reda
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
!
crypto pki trustpoint OPENSSL
 enrollment terminal
 fqdn reda.engageinc.com
 revocation-check ocsp
 ocsp url http://192.168.4.104:8080
 ocsp disable-nonce
 rsakeypair BRANCH_KEY
!
crypto pki crl cache size 2048
!
crypto pki certificate chain OPENSSL
 certificate ca 00A3A5C798F3C3312A
  308203EF 308202D7 A0030201 02020900 A3A5C798 F3C3312A 300D0609 2A864886
  F70D0101 05050030 18311630 14060355 04030C0D 42564341 206E756D 62616820
  32301E17 0D313530 33323631 37343935 345A170D 31363033 32353137 34393534
  5A307431 0B300906 03550406 13025553 31133011 06035504 08130A43 616C6966
  6F726E69 61311D30 1B060355 040A1314 456E6761 67652043 6F6D6D75 6E696361
  74696F6E 31143012 06035504 0B130B65 6E67696E 65657269 6E67311B 30190603
  55040313 12726564 612E656E 67616765 696E632E 636F6D30 82012230 0D06092A
  864886F7 0D010101 05000382 010F0030 82010A02 82010100 A58DD944 7A6F5BD4
  DA6BFE90 B2470DC0 1A3C8226 6EC8B7E1 55DF83B8 4A85BA36 76A52A40 278A6658
  8A630B52 1C95B216 FE9A7CC3 A9393AAB CEC76AF1 96983EA2 57A721AD 7B34D746
  4EF92844 FFA2ABF0 46E88E48 7F2BD4FE D6FF1666 A7305664 82127826 97615B40
  262173FE 03C75FCB 89A0CB34 E17F33CB C37021BB B9EC10F4 33C556BC 40DD562B
  CD70B17D F3736F1B AF614249 1D3C1944 DBEC101B CD9A44BB 044595A6 67B97541
  85631A15 5CCFDBBD F9BA44A6 458E585F EDE279DC BDFB4252 FABC2925 2FA13F4A
  466ECE7F 35832216 FCAF26A9 81431984 F327DC8A E24DE0C1 26E6098C 827BF6F0
  3475D9E7 43321F7E 6A3CFBD5 045CBF9F E5402137 05AE0C77 02030100 01A381DF
  3081DC30 09060355 1D130402 3000302C 06096086 480186F8 42010D04 1F161D4F
  70656E53 534C2047 656E6572 61746564 20436572 74696669 63617465 301D0603
  551D0E04 1604141D 6BCA5313 5483C2D2 3174EF6D 4E4984DC 27815E30 1F060355
  1D230418 30168014 A82D5098 9F656D45 F5CE357D 2E42EBAC 29EBFF00 302A0603
  551D1F04 23302130 1FA01DA0 1B861968 7474703A 2F2F3139 322E3136 382E342E
  3130343A 38303830 30350608 2B060105 05070101 04293027 30250608 2B060105
  05073001 86196874 74703A2F 2F313932 2E313638 2E342E31 30343A38 30383030
  0D06092A 864886F7 0D010105 05000382 0101005E AC863E65 F8D79A7A BA7C7487
  46BC088D 7E1258E2 E5BCA564 5C00EB24 1BD9D596 63699A89 55168389 9D539BED
  FA8262E3 0F815E7F 247BC37B 29482BBE 9B491C83 5608F46D E01C3DDC 05524BB9
  33E9B24D BF1E2428 B719FF9A 714A0D64 78431A46 53A49009 A8A421C1 0D1A069A
  B1B18D1B DBBE900D 98C8EE3B 9B2973EE 4E8993F3 97703F91 6F05F7EE 69436DBD
  72998F37 AD454795 76015884 E2E634B6 EDC1D7F0 12725682 D52CAD1F 72F6CD45
  5ED20D7B 7FB36364 7631B39F F71F73BE DDE0E708 FC709E80 793E60FE F4F3B178
  A7C8384D A42A9729 18E0AABB 704F98E3 D2446963 79355C47 D16B5E91 D14740B4
  5F6B1668 415E3669 397FB43A F793471E 498068
        quit
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX190485K6
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 104
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan104
 ip address 192.168.4.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

reda#

 

 

help?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents