Preview Tool

Cisco Bug: CSCvt93142 - ASA should allow null sequence encoding in certificates for client authentication.

Last Modified

Sep 11, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

Asa rejecting client auth certificate presented by anyconnect user.

The ASA is rejecting the ?certificate policies? extension.
The certificate polices extension is a list of policy information objects, where each object contains:
- an OID, and
- optional policy qualifier information.
The customer’s certificate policies extension contains 2 policy information entries. One of the entries doesn’t have qualifier information but includes a null sequence encoding in in its place It is this null sequence that the ASA objects to.
This is a case where the ASAs ASN.1 decoder may be technically correct by not allowing this encoding, but it is tolerated by other common implementations including CiscoSSL.

ASA configured for certificate based authentication.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.