全局保护客户端证书身份验证失败并为空 CN
59380
Created On 03/25/19 06:17 AM - Last Modified 03/03/23 01:58 AM
Symptom
Globalprotect 即使在客户端上安装了正确的客户端证书,客户端证书身份验证也会失败PC发行人配置为“受信任CA“在Firewall.
这VPN即使预期的证书被拾取,连接也会失败Globalprotect客户端并发送到服务器进行客户端证书认证,如果主题CN客户端证书上为空。
客户端日志将显示以下错误。
(T6560) 03/24/19 19:30:51:752 Info ( 736): Server cert query failed with error 12019 (T6560) 03/24/19 19:30:51:752 Debug( 905): PostRequest error code=2148074279(An unknown error occurred while processing the certificate.) (T6560) 03/24/19 19:30:51:752 Debug( 993): ERROR_WINHTTP_SECURE_FAILURE, clean m_pMachineCertCtx. Retry在firewall检查此连接的全局计数器。
使用源配置“管理过滤器”IP的PC和目的地IP作为IP终止接口的地址Globalprotect门户和网关。
如果客户端在 Internet 中,则使用 NATted PublicIP客户的PC.
然后启用过滤器并运行以下命令一次。 第一个输出可以忽略。
> show counter global filter packet-filter yes delta yes尝试从用户连接到门户和网关PC那有问题。
等待一段时间,然后再次运行以下命令。
> show counter global filter packet-filter yes delta yes检查全局计数器以查看是否存在以下计数器。
proxy_client_cert_parse_error 167 3 warn proxy pktproc Number of ssl sessions with bad client cert proxy_decrypt_cert_validation_overall 167 3 info proxy pktproc Overall number of decrypted packet cert validation如果使用“flow basic”、“ssl basic”和“proxy basic”功能为此连接获取数据包诊断日志,则可以在数据包诊断输出中看到以下日志。
2019-03-24 20:07:58.853 -0700 debug: pan_proxy_cfg_client_cert_handler(pan_proxy_cfg.c:1244): receive client cert 2019-03-24 20:07:58.853 -0700 debug: pan_x509_parse_dn(pan_x509.c:519): didn't find common name 2019-03-24 20:07:58.853 -0700 debug: pan_x509_parse_tbs_certificate(pan_x509.c:1998): pan_x509_parse_dn() failed
Environment
- 使用证书身份验证进行全局保护
- Pan-OS 8.0
Cause
- 有一个空CN不支持客户端证书上的PA firewall8.0
- 从8.1开始,没有空的限制CN在服务器端
Resolution
- 从CA服务器,它包含一个 SubjectCN .
- 然后在客户端安装这个新证书PC并再次测试连接。
Additional Information
Firewall 下列的RFC要求 。 https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
RFC细节:“如果主题字段包含一个空序列,那么发布CA MUST包括标记为关键的 subjectAltName 扩展名。”
Firewall执行额外检查是否有空CN/主题是SAN证书的字段被标记为“关键”扩展。这是为了确保证书符合所引用的RFC.
这是一些调试日志SAN未标记为“关键”:
Firewall side flow basic, ssl basic, proxy basic : debug: pan_proxy_cfg_client_cert_handler(pan_proxy_cfg.c:1253): receive client cert debug: pan_x509_parse_tbs_certificate(pan_x509.c:2082): not before 210521151540Z not after 220521151540Z debug: pan_x509_parse_dn(pan_x509.c:531): didn't find common name debug: pan_x509_parse_tbs_certificate(pan_x509.c:2106): SSLVPN:Print the certificate hostid (null) debug: pan_x509_parse_tbs_certificate(pan_x509.c:2108): SSLVPN:Print the certificate username (null) debug: pan_x509_parse_ext_subject_alt_name(pan_x509.c:1382): subject alt name debug: pan_x509_parse_ext_subject_alt_name(pan_x509.c:1400): found subject alternative names @478 00000000: 82 0b 6d 61 63 68 69 6e 65 2e 6c 61 62 ..machin e.lab debug: pan_x509_parse_tbs_certificate(pan_x509.c:2175): parse tbs certificate missing subject but subject alternative name is not critical debug: pan_x509_parse_cert(pan_x509.c:2374): pan_asn1_tbs_certificate() failed debug: pan_x509_parse_certs_chain(pan_x509.c:2548): pan_x509_parse_cert() failed; error debug: pan_ssl_parse_client_cert_handshake(pan_ssl.c:2372): pan_x509_parse_certs_chain() failed Error: pan_proxy_cfg_client_cert_handler(pan_proxy_cfg.c:1292): failed to parse client cert Error: pan_proxy_offload_ssl_handshake_cb(pan_proxy_ssl.c:576): client cert callback() failed Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:251): handshake callback failed: -3 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:621): pan_ssl_parse_record() failed
Firewall counters : proxy_ssl_invalid_cert 7 3 info proxy pktproc Number of ssl sessions using invalid certificate proxy_client_cert_parse_error 7 3 warn proxy pktproc Number of ssl sessions with bad client cert
GP logs: (T7008)Debug( 868): Found the cert [empty] issued by OpenSSL-CA9 sha1 hash is b4 fd 25 c7 a7 e6 ee ac 2e ef cd dd bd f5 e9 02 35 14 98 51 in machine store (T7008)Debug( 874): Finished searching machine store. (T7008)Debug(1016): PrepareRequest, m_pMachineCertCtx is 000001AF7749D0B0... (T7008)Debug(1024): WinHttpOpenRequest... (T7008)Debug( 442): CPanHTTPSession::PostRequest: WinHttpSendRequest... (T7008)Debug( 453): bResults=0, g_dwStatus = 00000000 (T7008)Debug( 456): SendRequest failed with error -2146893017 (T7008)Debug( 756): The length of the serialized string is 879. (T7008)Debug( 775): The encoded element has been serialized. (T7008)Debug( 786): SerializeServerCert(): wrote 879 of 879 bytes to file C:\WINDOWS\system32\config\systemprofile\AppData\Local\Palo Alto Networks\GlobalProtect\ServerCert.pan. (T7008)Debug(1043): PostRequest error code=2148074279(An unknown error occurred while processing the certificate.) (T7008)Debug(1132): ERROR_WINHTTP_SECURE_FAILURE, clean m_pMachineCertCtx. Retry
在 8.1 及更高版本上,如果您生成一个主题为空(没问题)并且具有SAN(这很好),但是SAN扩大MUST将证书标记为“关键”RFC .
如果不是,PAN-OS会出错——这也很好,因为证书不应该这样制作。