Cisco Bug: CSCte90958 - during validation of client cert, ASA may use wrong trustpoint policy
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: It is possible that the ASA may use the revocation check policy of the wrong trustpoint if the ASA is configured with rekeyed CA certs. Rekeyed CA certs resulting in two trustpoints with the same DN. This involves cases where client cert authentication is enabled and the client is sending a cert chain to bring up an SSL VPN connection. Conditions: If the ASA is configured where it tries to validate the client cert using the CA cert that did NOT sign the client cert, it could use the policy of this trustpoint. If this trustpoint doesn't have revocation checking it might allow the connection to complete with a revoked connection.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases