Guest

Preview Tool

Cisco Bug: CSCte90958 - during validation of client cert, ASA may use wrong trustpoint policy

Last Modified

Mar 06, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2(2.5) 8.3(0.22)

Description (partial)

Symptom:
It is possible that the ASA may use the revocation check policy of the wrong trustpoint if the ASA is configured with rekeyed CA certs.  Rekeyed CA certs resulting in two trustpoints with the same DN.   This involves cases where client cert authentication is enabled and the client is sending a cert chain to bring up an SSL VPN connection.

Conditions:
If the ASA is configured where it tries to validate the client cert using the CA cert that did NOT sign the client cert, it could use the policy of this trustpoint.  If this trustpoint doesn't have revocation checking it might allow the connection to complete with a revoked connection.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.