Guest

Preview Tool

Cisco Bug: CSCvu24606 - ENH: Change default of "revocation-check" to "ocsp crl"

Last Modified

Oct 09, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.13(1.235)

Description (partial)

Symptom:
This is an enhancement request to increase the baseline security of PKI related functions.

Currently the default of the "revocation-check" command within the "crypto ca trustpoint" sub-configuration mode is "none".  This means the ASA does not validate any revocation information about certificate by default.  This is no longer an acceptable default and the default value should be changed to:

 - Check OCSP, if not available then check CRL, if not available then fail verification

Conditions:
PKI is used to validate client certificates
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.