Guest

Preview Tool

Cisco Bug: CSCvt93142 - ASA should allow null sequence encoding in certificates for client authentication.

Last Modified

Sep 11, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(2.4)

Description (partial)

Symptom:
Asa rejecting client auth certificate presented by anyconnect user.

The ASA is rejecting the ?certificate policies? extension.
The certificate polices extension is a list of policy information objects, where each object contains:
- an OID, and
- optional policy qualifier information.
The customer’s certificate policies extension contains 2 policy information entries. One of the entries doesn’t have qualifier information but includes a null sequence encoding in in its place It is this null sequence that the ASA objects to.
This is a case where the ASAs ASN.1 decoder may be technically correct by not allowing this encoding, but it is tolerated by other common implementations including CiscoSSL.

Conditions:
ASA configured for certificate based authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.