Re: DO NOT USE RSA-SIG on asa802-k8.bin from Sadiq Yakasai on 2009-05-01 (Ccielab archives 05/2009)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Fri, 1 May 2009 20:48:40 +0100

Right, I have some good news for anyone interested in this one:

After digging up some information, this is whats going on:

As of ASA Release 8.0.2 for IPSec (8.0.3.4 for SSL) connections if the
KeyUsage extension is present it must have the Digital Signature bit set.

Option 1: If the ExtendedKeyUsage extension is present it must contain
one of the
following for IPsec:
* id-kp-clientAuth 1.3.6.1.5.5.7.3.2
* id-kp-ipsecEndSystem 1.3.6.1.5.5.7.3.5
* id-kp-ipsecTunnel 1.3.6.1.5.5.7.3.6
* id-kp-ipsecUser 1.3.6.1.5.5.7.3.7

Option 2: You can disable the check in the trustpoint configuration with the
following (the default is "no ignore-ipsec-keyusage" and "no
ignore-ssl-keyusage") :
  crypto ca trustpoint <trustpointname>
    ignore-ipsec-keyusage
    ignore-ssl-keyusage

Since the new Lab exam has ver 8.x on it, this is one that folks would like
to keep an eye out for I guess.

HTH a little,
Sadiq

On Thu, Apr 30, 2009 at 6:12 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Just to let you guys know... do not use this version of code on the
> ASA5510 with L2L VPN config with RSA-SIG!! It would keep telling you on the
> debugs that:
>
> %ASA-7-717025: Validating certificate chain containing 1 certificate(s).
> %ASA-7-717029: Identified client certificate within certificate chain.
> serial number: 1FF247D7000000000110, subject name: hostname=R5.ccie.com<http://r5.ccie.com/>
> .
> %ASA-7-717030: Found a suitable trustpoint CCIECA to validate certificate.
> %ASA-3-717009: Certificate validation failed. Peer certificate key usage is
> invalid, serial number: 1FF247D7000000000110, subject name: hostname=
> R5.ccie.com <http://r5.ccie.com/>.
> %ASA-3-717027: Certificate chain failed validation. Certificate chain is
> either invalid or not authorized.
> %ASA-5-713904: Group = R5.ccie.com <http://r5.ccie.com/>, IP = 150.1.5.5,
> Peer Certificate authentication failed: General Error
>
> This is all when you have EVERYTHING configured absolutely correct! All i
> did was downgrade the appliance to 7.2(4) and it works!
>
> Does anyone know whats going on here? :-)
>
> --
> CCIE #19963
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Fri May 01 2009 - 20:48:40 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART