Cisco Bug: CSCvt93142 - ASA should allow null sequence encoding in certificates for client authentication.
Sep 11, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Asa rejecting client auth certificate presented by anyconnect user. The ASA is rejecting the ?certificate policies? extension. The certificate polices extension is a list of policy information objects, where each object contains: - an OID, and - optional policy qualifier information. The customer’s certificate policies extension contains 2 policy information entries. One of the entries doesn’t have qualifier information but includes a null sequence encoding in in its place It is this null sequence that the ASA objects to. This is a case where the ASAs ASN.1 decoder may be technically correct by not allowing this encoding, but it is tolerated by other common implementations including CiscoSSL. Conditions: ASA configured for certificate based authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases