DOT1X certificate validation

Similar Messages

• Cisco AP disable PEAP server certificate validation

  Hi,
  My question if it is possible on Cisco 1600 AP's  to  disable the server certificate validation on a dot1x peap authentication method (please provide if any the appropiate CLI)
  I now the in PEAP for a PEAP user implementation you want to validate the the server as that this is PEAP phase 1.
  But we want only user PEAP as machine authentication, which I don't care the validation of the server. hence like in Windows you have a check box, so you can disable the validation of it.
  Thanks in advance,
  Kind regards,
  Michel

  Not really, let me explain the toplogy;
  we want to enable 802.1x on the network switches and let the Cisco AP authenticate the AP (PEAP-MSCHAPv2) on the switch via 802.1x. Therefore we specify the following config on the AP:
  eap profile PEAP
  method peap
  dot1x credentials test
  username
  password xxxxxx
  interface GigabitEthernet0
  dot1x pae supplicant
  dot1x credentials test
  dot1x supplicant eap profile PEAP
  The question is the a possebility to disable the server certificate validation (as like in Windows) because we want to verify the AP, and yes I know for PEAP-user implementation it is a good practise to validate the server certificate.
  Kind regards,
  Michel

• Any way to bypass server certificate validation in AIR client?

  Is there any way to bypass certificate validation and server identification for secure Channels or ChannelSets? I am aware of the existing workaround to import my own certificate into the user's CA chain, but I feel that having greater control on the client-side is preferred.
  If there is not a way to bypass client-side certificate validation I will be filing this as a feature request at http://bugs.adobe.com
  Thanks,
  Karl
  When producing a client-server solution it is occasionally useful to override the default behavior of HTTPS certificate validation and server identification. I would like to request the ability to override these systems in the AIR environment for applications installed with the "UNRESTRICTED" system access option.
  Simply allowing the use of self-signed certificates without verification (perhaps signified by a secure protocol identifier other than "https") would provide adequate functionality, but some users may desire finer control.
  This issue is partly addressed by bugs FP-711 and FP-214 but I feel it is important that any enhancement include the BlazeDS Channel in the case that the AIR application has unrestricted system access.
  When deploying an AIR client application which is securely connected to a network appliance which is controlled by the same developer it is desirable to bypass the overhead of acquiring a PKI issued certificate for every customer. Independent, open-source, and not-for-profit developers could see increased ability to adopt the AIR platform with this improvement.
  When deploying a network appliance to be used with an AIR application the requirement for a PKI issued certificate complicates the deployment of the network appliance by requiring DNS access, and thereby requiring Internet connectivity. Some customer sites require network isolation.
  It is possible to generate a developer-specific certificate and import that certificate into the AIR client host's Trusted Root Certification Authorities list. This workaround deteriorates PKI best practices and complicates the installation of AIR software. It is not possible to depend solely on the ".air" packaging for installation with the added requirement to install a new CA on the user's host.
  Java provides the requested functionality by allowing developers to provide their own implementations of javax.net.ssl.TrustManager for verification and javax.net.ssl.HostnameVerifier for identification. We have used this technique to communicate over the SDEE protocol with Cisco IDS devices which do not usually have PKI issued certificates.

  Hi Robert,
  No specific option to controle TOP/First features use.
  However other options exist to control IQ resources.
  Eg. Query_temp_sopace_limit, Query_Time, Max_IQ_Threads_Per_Connection, Max_Cartesian_Result.
  Regards,
  Tayeb.

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• Getting error while exporting certificate to OIF Certificate Validation

  Hi All,
  Currently I am working with Oracle identity federation 10.1.4.0.1. I am facing one problem while exporting certificate to Certificate Validation, the error I am getting after importing certificate at console is:
  ERROR - oracle.security.crypto.asn1.ASN1FormatException: Got tag 0 instead of 16.
  Write failed: Broken pipe
  But It doesn't displaying any error in webapge after exporting certificate.
  Any help in this regard really appreciated.
  Thanks,
  Iceman
  Edited by:OIF version included

  If the certificate is in text PEM format, please ensure that the actual certificate content is enclosed within:
  -----BEGIN CERTIFICATE-----
  MII................
  -----END CERTIFICATE-----
  Thats all. It should also not have the certificate in text. Just the content within those lines.
  Hope this helps.

• ORA-29024: Certificate validation failure when trying to redirect to https

  Hi, I was trying to redirect the page to another https website using utl_http.request,
  I configured Oracle wallet and import the certificate, and successfully to get the webpage content in sqlplus by
  select utl_http.request('https://<website>,null,<wallet>,<wallet password>) from dual,
  but when I trying to use the same way in a button process of Apex, the error ORA-29024: Certificate validation failure prompt.
  Anyone know what wrong with it?
  Thanks
  Vincent Pek

  Hi, Sorry, I found that after i reboot my laptop , it's working now.

• Unable to check certificate validity online. check...

  please help me on this... m not able to load anything
  my phone is n73-1
  Personal details removed by a moderator. We kindly ask you not to share your personal contact details publicly on this forum.

  Nokia Symbian/S60 wrote:
  Unable to check certificate validity online.
  As this could temper your security, before you change those settings (or at least after you changed them), please, have a look at a detailed explanation …

• NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

  We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
  When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
  I did a packet capture of a machine that was experiencing the problem.
  The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
  If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
  Has anybody else experienced this? Any ideas?

  Faisal,
  I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
  I decided to span a port a MAC was connected to and performed another capture.
  Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
  I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
  The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
  When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
  I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
  Why only 95%?
  One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
  No problems now.
  Later!
  Bob

• Certificate Validity Period Question

  I work for a foster care organization and cant decide on how long we should have  our Validity period last. These certificates will be used for digitally signing word docs. The problem im running into is we have to keep adopted files for 100 years and
  all other files for 7 years. We are moving all of our files to electronic format but cant decide how to handle the adoption files. Do we put the validity to 100 years? or shorter? But if it is shorter than how do we manage when employees leave and then the
  certs become invalid after so and so years. Is that acceptable to have the cert expire but leave the docs published? 
  Running server 2008 r2 and windows 7

  Hi,
  Based on my research, it is not recommended to configure the certificate validity for too long, because the longer validity period brings the greater risk of the certificate being exposed.
  Another thing is that every Certificate Authority (CA) has its own certificate, so every CA has built-in
  expiration date.
  Certificate Services enforces a rule that a CA never issues a certificate to be valid
  beyond the expiration date of its own certificate.
  Therefore, once the CA’s certificate expired, all certificates issued by it became invalid.
  Actually you can just configure an appropriate validity to certificates, not too long or too short, the certificates can be renewed by CA, and CA’s certificate can also be
  renewed. As long as Certificates Services are running smoothly, there won’t be issues about your document signing.
  Here are some related links below that could be useful to you:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  Renewing a certification authority
  http://technet.microsoft.com/en-us/library/cc740209(v=WS.10).aspx
  Certificate Services Best practices
  http://technet.microsoft.com/en-us/library/cc738786(v=WS.10).aspx
  Certificate validity period:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/b82a18eb-1597-4cfc-bf8d-71360ee91e81/certificate-validity-period?forum=winserversecurity
  I hope this helps.
  Best Regards,
  Amy Wang

• AnyConnect machine certificate validation error

  Hi,
  I'm trying to get certificate authentication to work for AnyConnect (3.1.02040) using already existing certificates in the machine store (Windows 7 clients).
  I get the choose certificate prompt, but when I choose the correct certificate I just get a "Certificate validation failure" error.
  So I tried and install a certificate from my lab CA - also in the machine store. And that worked as a charm.
  When comparing the logs from DART - I see the following error message from the non-working certificate:
  Date        : 07/25/2014
  Time        : 11:39:02
  Type        : Error
  Source      : acvpnui
  Description : Function: CTransportWinHttp::SendRequest
  File: .\CTransportWinHttp.cpp
  Line: 1146
  Invoked Function: HttpSendRequest
  Return Code: 12186 (0x00002F9A)
  Description: WINDOWS_ERROR_CODE
  After googling I found someon explaining the error code as:
  "This is a WinInet/WinHttp error 12xxx will always be one of these.
  what it means is you don't have the rights to access the private key for this Client certificate."
  Is this correct, and in that case how do I fix the access rights for the certificate?
  Thanks,
  Charlie 

  I've started to look through the certificates again now and stumbled across the "Manage private keys.."-option.
  The working certificate had a SID with read rights besides the system and administrator rights. So I tried just adding read rights for the domain users group to the old certificate, and it just started working!
  Which is weird since it didn't work regardless of running AnyConnect as admin or not. Well well, at least it works. Thanks for taking the time Karthik!

• Change in certificate validation algorithm in Adobe Reader 10.1.2

  Some experiments I have done with both Adobe Reader 10.1.1 and 10.1.2 show that their implemented algorithm vor validating the certificate of a signature is different:
  In all versions of Adobe Reader up to and including 10.1.1 no revocation checking is performed for a certificate marked as a trust anchor.
  In Adobe Reader 10.1.2 revocation checking is performed even if a certificate is marked as a trust anchor.
  Since the latter behaviour is in conflict with international standards for certificate validation (RFC 5280, section 6.1), my questions are:
  Has this shift in the implementation happened intentionally?
  If yes, why?
  /Gregor

  Hi Jagriti,
  sorry, it took some time to prepare things for this answer.
  I have digged a bit deeper in my real world example: It uses a qualified EE certificate isssued by a German Trust Center supervised by the German Federal Net Agency (Bundesnetzagentur) - want I want to express here: It is not some self-signed anything, but a situation that will happen with almost each qualified EE certificate issued under German law.
  You can find my real world example here, a PDF signed using such a qualified EE certificate (BTW: I cannot find a way to add files to my post, is there really no such mean in Adobe's forums?).
  Additionally I have put together all certificates and CRLs depicted in the following graph into a ZIP-Archive, you can find it here.
  Now, there are some awkward things with the structure of that PKI:
  If you try to find a revocation status for Bundesnetzagentur's OCSP Service, you may get into a loop, since the signer certificate for that OCSP Service has a AIA certificate extension pointing to - well - the Bundesnetzagentur's OCSP Service (but this is not the problem I am facing at the moment - see below).
  If you try to find a revocation status for the CRL issuer of Bundesnetzagentur's indirect CRL, you may face the same problem, since the CRL-DP certificate extension of the CRL issuer's certificate points to - well - the Bundesnetzagentur's indirect CRL (but this is still not the problem I am facing at the moment ;-).
  The CRL-DP certificate extension (in all certificates shown in the graph above and depicted in blue) is missing the cRLIssuer field in the DistributionPoint, which is a MUST regarding to RFC 5280 if the DistributionPoint refers to an indirect CRL. Yes, and this is my problem at the moment - see below.
  My current settings in Adobe Reader 10.1.2 are the following:
  The Bundesnetzagentur's root certificate 12R-CA1:PN is marked as a trust anchor.
  I am using a custom certificate preference to tell Adobe Reader to accept the OCSP responder signing certificate  TC TrustCenter DIR 39:PN (cAuthorizedResponder set to 1).
  Validation in my Adobe Reader 10.1.2 currently does the following:
  Find a valid path for Test-Signaturdienst:PN ... fine.
  Check revocation status for Test-Signaturdienst:PN ... fine (using the OCSP responder pointed to by the AIA of the certificate).
  Check revocation status for TC TrustCenter DIR39:PN ... fails (using the CRL-DP pointing to the Bundesnetzagentur's indirect CRL).
  My question for the moment: Is there a chance to let Adobe Reader 10.1.2 accept Bundesnetzagentur's indirect CRL although the CRL-DP in TC Trustcenter DIR 39:PN is missing the cRLIssuer field?
  My question for later: Is it an issue inside Adobe to support the validation of documents signed with a qualified certificate issued under German law despite the awkward construction of Bundesnetzagentur's PKI (Germany is a market with 80 million people)?
  Best regards, Gregor

• Certificate Validity Message

  Hi,
  I'm facing with an error while Anyconnect is trying to connect, showing a message about certificate validity (As is attached to this post), but it connects successfully.
  I guess something is wrong with the cert I'm using (Its essential cert).
  Cert Info :
  Type : General
  Usage : general purpose
  Valid To: 30 Dec 2014
  best Regards
  Ali

  Please review the following document:
      AnyConnect Certificate Based Authentication
  Your error is due to lack of proper USER certificate - not server (ASA) certificate. You need to either issue and install a proper user certificate on your client PC or setup the Connection Profile to not use certificate authentication (see step 6 in the linked document).

• SSL certificate validation date

  Greetings,
  Why is it that on a SSL module, certificate validity dates are different when cheking
  "show crypto ca trustpoints" and
  "show ssl-proxy certificate-history" ?
  Doesn't the "certificate-history" show the current certificate as well the previously imported ones?
  Do we refere only to "show crypto ca trustpoints" to track certificate validity end date?
  SSL001#show crypto ca trustpoints testing123
  Certificate
  Subject:
  Name: testing123
  CN = testing123
  OU = Terms of use at http://www.verisign.com
  O = WWW
  L = WW
  ST = WW
  C = WW
  CRL Distribution Point:
  http://SVRIntl-crl.verisign.com/SVRIntl.crl
  Validity Date:
  start date: 00:00:00 UTC Apr 11 2006
  end date: 23:59:59 UTC Apr 10 2008
  renew date: 00:00:00 UTC Jan 1 1970
  Associated Trustpoints: testing123
  SSL001#show ssl-proxy certificate-history service proxyssl
  Record 132, Timestamp: 3w6d, 21:34:55 UTC May 23 2006
  Installed Service Certificate, Index 131
  Proxy Service: proxyssl, Trust Point: testing123
  Validity Start Time: 15:31:50 UTC Nov 15 2005
  End Time: 15:31:50 UTC Nov 15 2006
  Renew Time: 00:00:00 UTC Jan 1 1970
  Thanks

  To authenticate the SSL client, the SSL module verifies the following:
  * The certificate at one level is properly signed by the issuer at the next level.
  * At least one of the issuer certificates in the certificate chain is trusted by the SSL proxy service.
  * None of the certificates in the certificate chain is in the certificate revocation list (CRL) and rejected by any access control list (ACL).
  For verifying the SSL client certificates, the SSL module is configured with a list of trusted certificate authorities (certificate authority pool). The SSL module trusts only the certificates issued by the certificate authorities that you configure in the certificate authority pool.

• Two error - certificate validation operation took X milliseconds & Alternate access mappings have not been configured

  Dear all,
  I have two questions on my SP2013 standard (on premise). They are very usual and I can find lots of work around and resolutino on web. But I cannot fix my environment and I am looking for more detail explaination if possible.
  At the beginning, I found there are lots of Critical error log in my SP App server every 1-2 minutes:
  A certificate validation operation took X milliseconds and has exceeded the execution time threshold. If this continues to occur, it may represent a configuration issue.
  My system doesn't have Internet access. After some research it happened to be SharePoint certificate CRL checking issue:
  http://support.microsoft.com/kb/2625048/en-us
  I applied BOTH resolustion but the error still throw.
  After more research, it seems Sharepoint will keep looking for
  http://crl.microsoft.com. Some discussion suggested to add a HOSTS line "127.0.0.1     crl.microsoft.com". I have added the line and now I see a new warning log:
  Alternate access mappings have not been configured.  Users or services are accessing the site
  http://domain.com with the URL
  http://127.0.0.1.  This may cause incorrect links to be stored or returned to users.  If this is expected, add the URL http://127.0.0.1 as an AAM response URL.
  I guess Sharepoint is trying to contact http://crl.microsoft.com to retrieve the crl. How can I resolve both error? Why Microsoft have this design knowing that many Sharepoint site are sit within Intranet?
  Thanks a lot.
  Mark

  Anything in the CAPI log?  It shouldn't be going to the internet anymore.
  Do you have loopback disabled?
  http://blogs.technet.com/b/sharepoint_foxhole/archive/2010/06/21/disableloopbackcheck-lets-do-it-the-right-way.aspx

• Certificate validation when server is the same machine as client

  Hi guys i realize this is the most talked question about jsse, the validation of local certificates.
  I found a 2001 o'reilly page where they explain what is jsse and gives a complete tutorial of it.
  It comes with a sample secure http server and browser, and when i try to connect to the server with that browser it bombs out with the "couldn't find trusted certificate"
  Having read some posts here and googled around i found out that this sometimes happens because the name on the signed certificate does not match the url accessed from the server.
  So, if the server and client is on the same machine (127.0.0.1) and my machine name is FJL, can someone explain me how should i run the keytool?
  This is what i have been using:
  keytool -genkey -keystore certs -keyalg rsa -alias espectro -storepass serverkspw -keypass serverpw
  The keytool then prompted me for information to put into the certificate. My answers are shown in bold.
  What is your first and last name?
  ��[Unknown]: francisco leon
  What is the name of your organizational unit?
  ��[Unknown]: licom
  What is the name of your organization?
  ��[Unknown]: la universidad del zulia
  What is the name of your City or Locality?
  ��[Unknown]: maracaibo
  What is the name of your State or Province?
  ��[Unknown]: zulia
  What is the two-letter country code for this unit?
  ��[Unknown]: VE
  Is <CN=francisco leon, OU=licom O=la universidad del zulia L=maracaibo ST=zulia, C=ve> correct?
  ��[no]: y
  the web server is found here http://www.onjava.com/pub/a/onjava/2001/05/03/java_security.html?page=1 to page=5 or so
  page=4 explains something:
  You may wonder what happens when you run SecureBrowser againstSecureServer. It doesn't work. That's because SecureBrowser won't acceptSecureServer's phony certificate. However, we can trick SecureBrowser into accepting SecureServer's certificate. Here's how:
  So i use the keytool again to do what it is suggested:
  keytool -export -keystore certs -alias espectro -file server.cer
  then:
  keytool -import -keystore jssecacerts -alias espectro -file server.cer
  the jssecacerts file is located on the dir where i did the keytool thing, so i copy it to c:\j2sdk1.4.1_02\jre\lib\security
  and finally i try to connect to the secure httpserver found on that url with the secure browser found there too and i get the "couldn't find trusted certificate"
  could someone please explain me how to fix it? the article is kind of old and lists some properties which i haven't been able to find, along with some .jar (the article is dated before java 1.4 was available) and maybe i am doing something wrong.
  Thanks in advance!

  Ok, indeed, when keytool asks me about my name, i tried it with my machine name and now it works.