Guest

Preview Tool

Cisco Bug: CSCvi74369 - AIA chasing requests don't honor the upstream proxy configuration unless configured in OCSP

Last Modified

Apr 05, 2018

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

10.1.2-050 10.5.1-296

Description (partial)

Symptom:
- AIA intermediate certificate chasing requests do not honor the upstream proxy configuration unless configured in OCSP.

Which can result in getting certificate warnings on a lot of HTTPS pages.

Wed Mar 28 10:02:15 2018 Info: 346795 : Got an OCSP query for the server : www.der-roemer-shop.de - (Intermediate Certs chase request)
Wed Mar 28 10:02:15 2018 Debug: 346795 Intermediate Certs chase request: Loading trust store for AIA chase
Wed Mar 28 10:02:15 2018 Debug: Intermediate Certs chase request: URL identified = http://cacerts.thawte.com/ThawteRSACA2018.crt 346795
Wed Mar 28 10:02:15 2018 Debug: 346795 : Querying status of certificate  from: http://cacerts.thawte.com/ThawteRSACA2018.crt
Wed Mar 28 10:02:15 2018 Trace: 346795 : Connecting directly (cacerts.thawte.com:80)
Wed Mar 28 10:02:20 2018 Debug: Total requests 1, OCSP Cache hits 0, OCSP requests 0, OCSP valid responses 0, OCSP invalid responses  0, Network failures 0, average response time 0
Wed Mar 28 10:02:25 2018 Trace: 346795 : Timeout error - failed to connect.

Conditions:
- WSA running any 10.x version
- OCSP feature enabled or disabled, with "Use upstream proxy for OCSP checking" option [within OCSP settings] not enabled
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.