SSL Protocol error with anyconnect and certificate authenticatio

JonoCoetz · ‎07-26-2012

I'm busy setting up a development Anyconnect VPN service so I can test it out before pushing it to production and I'm running into trouble when I set authentication to aaa and certificates. When I just use aaa it works fine, however when I set it up to use certificates as well something goes wrong between me sending the certificate to the ASA and the login page being shown. In Internet Explorer a generic "Internet Explorer cannont display this webpage" error is thrown while Chrome displays "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."

My problem more than likely the fact that I've set up my own CA (using xca) for testing purposes and I've made a mistake with the Key Usage flags or something allong those lines.

When I do a debug crypto ca 127 the following is shown:

CERT_API: Authenticate session 0x021999a1, non-blocking cb=0x08e84230

CERT API thread wakes up!

CERT_API: process msg cmd=0, session=0x021999a1

CERT_API: Async locked for session 0x021999a1

CRYPTO_PKI: Checking to see if an identical cert is already in the database...

CRYPTO_PKI: looking for cert in handle=0xbb7ac644, digest=

09 55 a1 2a 2c 39 77 0a 25 1c 88 d9 07 80 00 75 | .U.*,9w.%......u

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Found a suitable authenticated trustpoint svc.trustpoint.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2

CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 0E, subject name: cn=TestUser,ou=Security Group,o=*****,st=*****,c=**.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation check

CERT_API: calling user callback=0x08e84230 with status=0

CERT_API: Close session 0x021999a1 asynchronously

CERT_API: Async unlocked for session 0x021999a1

CERT_API: process msg cmd=1, session=0x021999a1

CERT_API: Async locked for session 0x021999a1

CERT_API: Async unlocked for session 0x021999a1

CERT API thread sleeps!

CERT_API: Authenticate session 0x02755959, non-blocking cb=0x08e84230

CERT API thread wakes up!

CERT_API: process msg cmd=0, session=0x02755959

CERT_API: Async locked for session 0x02755959

CRYPTO_PKI: Checking to see if an identical cert is already in the database...

CRYPTO_PKI: looking for cert in handle=0xbb7ac644, digest=

09 55 a1 2a 2c 39 77 0a 25 1c 88 d9 07 80 00 75 | .U.*,9w.%......u

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Found a suitable authenticated trustpoint svc.trustpoint.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2

CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 0E, subject name: cn=TestUser,ou=Security Group,o=*****,st=*****,c=**.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation check

CERT_API: calling user callback=0x08e84230 with status=0

CERT_API: Close session 0x02755959 asynchronously

CERT_API: Async unlocked for session 0x02755959

CERT_API: process msg cmd=1, session=0x02755959

CERT_API: Async locked for session 0x02755959

CERT_API: Async unlocked for session 0x02755959

CERT API thread sleeps!

From what I can I can understand it looks like the certificate validation was successful but the error is still thrown and I am not redirected to the login page. Like I said, it all works fine without certificate authentication.

Here are the extensions used the the keys:

CA:

X509v3 Basic Constraints critical:
CA:TRUE
X509v3 Subject Key Identifier:
53:35:35:15:F4:CE:C1:6D:5E:0C:53:2F:1D:2E:51:E4:70:F6:24:0F
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate

ASA:

X509v3 Key Usage critical:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:stagingvpn
X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
C9:CE:A3:8F:96:D7:A1:C8:B9:5A:AC:98:78:81:ED:3A:2B:FC:38:70
Netscape Cert Type:
SSL Server
Netscape Comment:
xca certificate

TestUser:

X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
FF:C8:36:A5:59:51:9D:DE:DC:28:84:ED:27:61:A2:61:5E:83:5B:95
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
xca certificate

Anybody know where I'm going wrong? Pretty sure it's something blindingly simple, but I don't have much experiance with certificates.

Many thanks!

Javier Portuguez · ‎07-26-2012

Hi Jonathan,

Please include the "show run all ssl" output.

Thanks in advance.

JonoCoetz · ‎07-26-2012

Here it is:

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl trust-point svc.trustpoint outside

JonoCoetz · ‎07-26-2012

Sorry, it seems the debug output I posted here was from when I tried adding TLS Client Authentication to the TestUser certificate, this is why there's the line with "ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2". Results are still the same regardless of whether it was present or not...

Javier Portuguez · ‎07-26-2012

I see, what if you remove the "ssl trust-point svc.trustpoint outside" command?

Thanks.

Portu

JonoCoetz · ‎07-27-2012

That didn't help and meant that I got certificate errors when browsing to the page.

Tried in Firefox and I got a much more informative error:

"SSL received a record with an incorrect Message Authentication Code.

(Error code: ssl_error_bad_mac_read)"

What confuses me is why I don't get an error like this when just using aaa auth? It seems to be just an SSL/HTTPS error?

Javier Portuguez · ‎07-27-2012

Hi Jonathan,

Could you please enable webvpn on the inside and give it a try from an internal machine?

webvpn

enable inside

!

* Just for testing, please do not use certificate authentication and remove any trustpoint assigned to the interface with the

" no ssl trust-point svc.trustpoint outside".

Thanks.

JonoCoetz · ‎07-27-2012

It works from both sides if I enable webvpn on the inside, take off the trustpoint outside and use aaa auth only, but not if I use aaa + cert auth.

For some reason just using aaa has always worked, it's as soon as I try use cert auth as well where things fail.

As a matter of interest, I recieved the foollowing errors when I applied the "enable inside" command:

%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)

This also happens when the "enable outside" is read and executed from the config file on boot. Never thought anything of it cuz I webvpn works, just not with certs.

Please lemme know what else I can try or any other info you might need.

Thanks!

JonoCoetz · ‎07-27-2012

I really should have said this before but I'm running this on an emulated gns3 environment. Do you think this might be part of the problem? Everything else works perfectly though so I'm not sure...

SSL Protocol error with anyconnect and certificate authentication