pátek 5. února 2016

CISCO AnyConnect a SHA 256 zatím spolu NEkamarádí

V případě, že používáte VPN AnyConnect od firmy CISCO a rozhodujete se přejít na SHA256, tak koukněte na následující článek.

Zatím SHA256 není podporované ... respektive je zde chybka.

V každém případě, ověřování certifikátů s SHA256 selhává.

Avoiding SHA 2 Certificate Validation Failure (CSCtn59317)

The AnyConnect client relies on the Windows Cryptographic Service Provider (CSP) of the certificate for hashing and signing of data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection. If the CSP does not support SHA 2 algorithms, and the ASA is configured for the pseudo-random function (PRF) SHA256, SHA384, or SHA512, and the connection profile (tunnel-group) is configured for certificate or certificate and AAA authentication, certificate authentication fails. The user receives the message Certificate Validation Failure.
This failure occurs for Windows only, for certificates that belong to CSPs that do not support SHA 2-type algorithms. Other supported OSs do not experience this problem.
To avoid this problem you can configure the PRF in the IKEv2 policy on the ASA to md5 or sha (SHA 1). Alternatively, you can modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced RSA and AES Cryptographic Provider. Do not apply this workaround to SmartCards certificates. You cannot change the CSP names. Instead, contact the SmartCard provider for an updated CSP that supports SHA 2 algorithms.


Performing the following workaround actions could corrupt the user certificate if you perform them incorrectly. Use extra caution when specifying changes to the certificate.

You can use the Microsoft Certutil.exe utility to modify the certificate CSP values. Certutil is a command-line utility for managing a Windows CA, and is available in the Microsoft Windows Server 2003 Administration Tools Pack. You can download the Tools Pack at this URL:
Follow this procedure to run Certutil.exe and change the Certificate CSP values:
  1. Open a command window on the endpoint computer.
  2. View the certificates in the user store along with their current CSP value using the following command:certutil -store -user My
    The following example shows the certificate contents displayed by this command:
    ================ Certificate 0 ================
    Serial Number: 3b3be91200020000854b
    Issuer: CN=cert-issuer, OU=Boston Sales, O=Example Company, L=San Jose,
    S=CA, C=US, E=csmith@example.com
    NotBefore: 2/16/2011 10:18 AM
    NotAfter: 5/20/2024 8:34 AM
    Subject: CN=Carol Smith, OU=Sales Department, O=Example Company, L=San Jose, S=C
    A, C=US, E=csmith@example.com
    Non-root Certificate
    Cert Hash(sha1): 86 27 37 1b e6 77 5f aa 8e ad e6 20 a3 14 73 b4 ee 7f 89 26
      Key Container = {F62E9BE8-B32F-4700-9199-67CCC86455FB}
      Unique container name: 46ab1403b52c6305cb226edd5276360f_c50140b9-ffef-4600-ada
      Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
    Signature test passed
  3. Identify the <CN> attribute in the certificate. In the example, the CN is Carol Smith. You need this information for the next step.
  4. Modify the certificate CSP using the following command. The example below uses the subject <CN> value to select the certificate to modify. You can also use other attributes. 
    On Windows 7 or later, use this command: certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -f -repairstore -user My <CN> carol smith
  5. Repeat step 2 and verify the new CSP value appears for the certificate.

Celý článek:
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.2

Žádné komentáře: