07-26-2012 06:18 AM - edited 02-21-2020 06:13 PM
I'm busy setting up a development Anyconnect VPN service so I can test it out before pushing it to production and I'm running into trouble when I set authentication to aaa and certificates. When I just use aaa it works fine, however when I set it up to use certificates as well something goes wrong between me sending the certificate to the ASA and the login page being shown. In Internet Explorer a generic "Internet Explorer cannont display this webpage" error is thrown while Chrome displays "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error."
My problem more than likely the fact that I've set up my own CA (using xca) for testing purposes and I've made a mistake with the Key Usage flags or something allong those lines.
When I do a debug crypto ca 127 the following is shown:
CERT_API: Authenticate session 0x021999a1, non-blocking cb=0x08e84230
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x021999a1
CERT_API: Async locked for session 0x021999a1
CRYPTO_PKI: Checking to see if an identical cert is already in the database...
CRYPTO_PKI: looking for cert in handle=0xbb7ac644, digest=
09 55 a1 2a 2c 39 77 0a 25 1c 88 d9 07 80 00 75 | .U.*,9w.%......u
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint svc.trustpoint.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0E, subject name: cn=TestUser,ou=Security Group,o=*****,st=*****,c=**.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation check
CERT_API: calling user callback=0x08e84230 with status=0
CERT_API: Close session 0x021999a1 asynchronously
CERT_API: Async unlocked for session 0x021999a1
CERT_API: process msg cmd=1, session=0x021999a1
CERT_API: Async locked for session 0x021999a1
CERT_API: Async unlocked for session 0x021999a1
CERT API thread sleeps!
CERT_API: Authenticate session 0x02755959, non-blocking cb=0x08e84230
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x02755959
CERT_API: Async locked for session 0x02755959
CRYPTO_PKI: Checking to see if an identical cert is already in the database...
CRYPTO_PKI: looking for cert in handle=0xbb7ac644, digest=
09 55 a1 2a 2c 39 77 0a 25 1c 88 d9 07 80 00 75 | .U.*,9w.%......u
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint svc.trustpoint.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0E, subject name: cn=TestUser,ou=Security Group,o=*****,st=*****,c=**.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation check
CERT_API: calling user callback=0x08e84230 with status=0
CERT_API: Close session 0x02755959 asynchronously
CERT_API: Async unlocked for session 0x02755959
CERT_API: process msg cmd=1, session=0x02755959
CERT_API: Async locked for session 0x02755959
CERT_API: Async unlocked for session 0x02755959
CERT API thread sleeps!
From what I can I can understand it looks like the certificate validation was successful but the error is still thrown and I am not redirected to the login page. Like I said, it all works fine without certificate authentication.
Here are the extensions used the the keys:
CA:
X509v3 Basic Constraints critical:
CA:TRUE
X509v3 Subject Key Identifier:
53:35:35:15:F4:CE:C1:6D:5E:0C:53:2F:1D:2E:51:E4:70:F6:24:0F
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate
ASA:
X509v3 Key Usage critical:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:stagingvpn
X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
C9:CE:A3:8F:96:D7:A1:C8:B9:5A:AC:98:78:81:ED:3A:2B:FC:38:70
Netscape Cert Type:
SSL Server
Netscape Comment:
xca certificate
TestUser:
X509v3 Basic Constraints critical:
CA:FALSE
X509v3 Subject Key Identifier:
FF:C8:36:A5:59:51:9D:DE:DC:28:84:ED:27:61:A2:61:5E:83:5B:95
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
xca certificate
Anybody know where I'm going wrong? Pretty sure it's something blindingly simple, but I don't have much experiance with certificates.
Many thanks!
07-26-2012 06:53 AM
Hi Jonathan,
Please include the "show run all ssl" output.
Thanks in advance.
07-26-2012 06:55 AM
Here it is:
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point svc.trustpoint outside
07-26-2012 07:18 AM
Sorry, it seems the debug output I posted here was from when I tried adding TLS Client Authentication to the TestUser certificate, this is why there's the line with "ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2". Results are still the same regardless of whether it was present or not...
07-26-2012 09:38 AM
I see, what if you remove the "ssl trust-point svc.trustpoint outside" command?
Thanks.
Portu
07-27-2012 02:44 AM
That didn't help and meant that I got certificate errors when browsing to the page.
Tried in Firefox and I got a much more informative error:
"SSL received a record with an incorrect Message Authentication Code.
(Error code: ssl_error_bad_mac_read)"
What confuses me is why I don't get an error like this when just using aaa auth? It seems to be just an SSL/HTTPS error?
07-27-2012 05:51 AM
Hi Jonathan,
Could you please enable webvpn on the inside and give it a try from an internal machine?
webvpn
enable inside
!
* Just for testing, please do not use certificate authentication and remove any trustpoint assigned to the interface with the
" no ssl trust-point svc.trustpoint outside".
Thanks.
07-27-2012 06:10 AM
It works from both sides if I enable webvpn on the inside, take off the trustpoint outside and use aaa auth only, but not if I use aaa + cert auth.
For some reason just using aaa has always worked, it's as soon as I try use cert auth as well where things fail.
As a matter of interest, I recieved the foollowing errors when I applied the "enable inside" command:
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
%ERROR: csco_config.lua:39: msgfmt_main.lua:463: bad argument #1 to `char' (invalid value)
This also happens when the "enable outside" is read and executed from the config file on boot. Never thought anything of it cuz I webvpn works, just not with certs.
Please lemme know what else I can try or any other info you might need.
Thanks!
07-27-2012 06:12 AM
I really should have said this before but I'm running this on an emulated gns3 environment. Do you think this might be part of the problem? Everything else works perfectly though so I'm not sure...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide