Zatím SHA256 není podporované ... respektive je zde chybka.
V každém případě, ověřování certifikátů s SHA256 selhává.
Avoiding SHA 2 Certificate Validation Failure (CSCtn59317)
The AnyConnect client relies on the Windows Cryptographic Service Provider (CSP) of the certificate for hashing and signing of data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection. If the CSP does not support SHA 2 algorithms, and the ASA is configured for the pseudo-random function (PRF) SHA256, SHA384, or SHA512, and the connection profile (tunnel-group) is configured for certificate or certificate and AAA authentication, certificate authentication fails. The user receives the message Certificate Validation Failure.
This failure occurs for Windows only, for certificates that belong to CSPs that do not support SHA 2-type algorithms. Other supported OSs do not experience this problem.
To avoid this problem you can configure the PRF in the IKEv2 policy on the ASA to md5 or sha (SHA 1). Alternatively, you can modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced RSA and AES Cryptographic Provider. Do not apply this workaround to SmartCards certificates. You cannot change the CSP names. Instead, contact the SmartCard provider for an updated CSP that supports SHA 2 algorithms.
![]() Caution |
Performing the following workaround actions could corrupt the user certificate if you perform them incorrectly. Use extra caution when specifying changes to the certificate.
|
You can use the Microsoft Certutil.exe utility to modify the certificate CSP values. Certutil is a command-line utility for managing a Windows CA, and is available in the Microsoft Windows Server 2003 Administration Tools Pack. You can download the Tools Pack at this URL:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
- View the certificates in the user store along with their current CSP value using the following command:certutil -store -user MyThe following example shows the certificate contents displayed by this command:
================ Certificate 0 ================ Serial Number: 3b3be91200020000854b Issuer: CN=cert-issuer, OU=Boston Sales, O=Example Company, L=San Jose, S=CA, C=US, E=csmith@example.com NotBefore: 2/16/2011 10:18 AM NotAfter: 5/20/2024 8:34 AM Subject: CN=Carol Smith, OU=Sales Department, O=Example Company, L=San Jose, S=C A, C=US, E=csmith@example.com Non-root Certificate Template: Cert Hash(sha1): 86 27 37 1b e6 77 5f aa 8e ad e6 20 a3 14 73 b4 ee 7f 89 26 Key Container = {F62E9BE8-B32F-4700-9199-67CCC86455FB} Unique container name: 46ab1403b52c6305cb226edd5276360f_c50140b9-ffef-4600-ada 6-d09eb97a30f1 Provider = Microsoft Enhanced RSA and AES Cryptographic Provider Signature test passed
Celý článek:
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.2
Žádné komentáře:
Okomentovat