In some tests over Cisco Router and Switch VPN3000 to make a VPN from a Client using Cisco VPN client with Certificate Authentication, we saw that both Cisco (router or VPN300) Fails when it try to get crl from webserver, all comunications are ok, cisco prompts a next messages:
when a client tried athuenticate on VPN3000:
Requesting CRL using HTTP. The HTTP URL is:
.
CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format, bad
block
type
= [0x6e][0xa6]
.
Certificate validation failure, Invalid CRL signature
and a test with Cisco Router we can yet a similar problem:
failed to set crl ber
The problem is that cisco only supports a integer in crlNumber field that maximun value can be 65535 (0xFFFF) a greater number will get an error. But RFC 2459 indicates this value may be more greater (20 bytes of representation against 2 bytes used by cisco).
Some one knows about some release of IOS that corrects this problem.
when a client tried athuenticate on VPN3000:
Requesting CRL using HTTP. The HTTP URL is:
.
CAPI - RSA PKCS1 payload to be decrypted is not in PKCS1 format, bad
block
type
= [0x6e][0xa6]
.
Certificate validation failure, Invalid CRL signature
and a test with Cisco Router we can yet a similar problem:
failed to set crl ber
The problem is that cisco only supports a integer in crlNumber field that maximun value can be 65535 (0xFFFF) a greater number will get an error. But RFC 2459 indicates this value may be more greater (20 bytes of representation against 2 bytes used by cisco).
Some one knows about some release of IOS that corrects this problem.
