Cisco Bug: CSCvu24606 - ENH: Change default of "revocation-check" to "ocsp crl"
Oct 09, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: This is an enhancement request to increase the baseline security of PKI related functions. Currently the default of the "revocation-check" command within the "crypto ca trustpoint" sub-configuration mode is "none". This means the ASA does not validate any revocation information about certificate by default. This is no longer an acceptable default and the default value should be changed to: - Check OCSP, if not available then check CRL, if not available then fail verification Conditions: PKI is used to validate client certificates
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases