Guest

Preview Tool

Cisco Bug: CSCuj29518 - CX: Support use of the Authority Information Access TLS ext (RFC 5280)

Last Modified

Aug 19, 2016

Products (1)

  • Cisco ASA Next-Generation Firewall Services

Known Affected Releases

9.1(2)

Description (partial)

Symptom:
The TLS proxy functionality of the Next Generation Firewall code does not support the Authority Information Access TLS extension. As a result secure servers that do not return the intermediary CA certificates with their identity certificate, but instead rely on the browser accessing a Authority Information Access location, will not be allowed through the CX citing a certificate validation error as the reason for denial.

Conditions:
This is seen with some, but not all, secure SSL servers. You can identify if this is the case, by inspecting the certificate chain returned by the server and look for the following:

1) A lack of intermediary certificates returned in the chain
2) A "Authority Information Access" TLS extension
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.