Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Deep Inspection (DI) Attack database update fails with HTTPS connections

0

0

Article ID: KB31513 KB Last Updated: 23 Mar 2017Version: 1.0
Summary:

Errors reported when Certificate Revocation List (CRL) check fails using the HTTPS connection and CRL size is greater than 2MB.  

This article explains the reported errors and how to disable the CRL check on the firewall.

 

Symptoms:

Deep Inspection (DI) attack-DB update fails with HTTPS connection when CRL check is enabled after the DI server certificate is upgraded with Comodo Certificate.

The errors were reported on the CLI while updating the attack-db. The event logs and debug PKI are shown below:

Error when attack-Db update fails:

SSG-> exec attack-db update
Download failed.Error: Unable to est. TCP connection
Failed to download or parse Attack DB.

Event logs:

2017-02-23 18:04:40 system notif 00767 Cannot parse attack database.
2017-02-23 18:04:40 system notif 00767 Cannot download attack database from  https://signatures.juniper.net/restricted/sigupdates/6.3/ssg350/attacks.bin?sn=JN10ABF77AD (error Unable to est. TCP connection).
2017-02-23 18:04:40 system notif 00535 PKI: Cannot build certificate chain for cert with subject name CN=services.netscreen.com,OU=COMODO SSL Unified Communications,OU=Issued through Juniper Networks, Inc. E-PKI Manager,OU=Domain C.

Certificates on the device:

SSG-> get pki x509 list cert
Getting OTHER PKI OBJECT ...
IDX  ID num     X509 Certificate Subject Distinguish Name
================================================================================
0000 243269694  CA CERT friendly name <62>
                CN=services.netscreen.com,OU=COMODO SSL Unified Communicatio
                ns,OU=Issued through Juniper Networks, Inc. E-PKI Manager,OU= =Domain Control Validated,
                Expire on 10-17-2019 23:59(UTC time), Issued By:
                CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
                 Limited,L=Salford,ST=Greater Manchester,C=GB,
================================================================================
 
Debug output  (Debug pki all, debug ssl all, debug httpfx all):
 
Lv3 read server certificate A)
client SSL allow any Cert Subject, <00000000>.
client SSL set to verify mode <00000000>, cfg flag<00000001>.
## 2017-02-24 15:22:48 : initX509CertStore init store: hash<0277ca08>. callback pki_basestore_verify_callback=588D50
## 2017-02-24 15:22:48 : X509_PUBKEY_get new ret->reference 2
 
-----Truncated output------------------Cert validation process------------------------------   
## 2017-02-24 15:22:48 : build_ike_pki_mail: key_type=4
MSG:VERIFY_SSL_CERT_CHAIN send to PKI. mail count(4294967271).
ssl3_get_server_certificate: send server cert verify.
## 2017-02-24 15:22:48 : X509_PUBKEY_get new ret->reference 2
## 2017-02-24 15:22:48 : EVP_PKEY_free reference 1, i 1
SSL_connect:SSLv3 read server certificate A <--- Reading DI servers certificate from Server Hello
ssl3_connect loop(unknown state)
ssl3_connect end(unknown state)
## 2017-02-24 15:22:48 : processPkiRequest cmd=0
## 2017-02-24 15:22:48 : certReqHandler: req=a8ee16c task=1a70ac8
## 2017-02-24 15:22:48 : PKI_CID_VERIFY_CERT_REQ for task 0
## 2017-02-24 15:22:48 : verify_LDAP_p7_Init
## 2017-02-24 15:22:48 : ike_cert_req_init: EE is the 0th cert
## 2017-02-24 15:22:48 : To verify EE cert: CN=services.netscreen.com,OU=COMODO SSL Unified Communications,OU=Issued through Juniper Networks, Inc. E-PKI Manager,O
## 2017-02-24 15:22:48 : certReqHandler:new pLdapState=278d2f8 size=376
## 2017-02-24 15:22:48 : build_untrust_chain:
## 2017-02-24 15:22:48 : issuer cert found in device  <--- Found the CA cert in the device
## 2017-02-24 15:22:48 : Add trusted CA: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB,
## 2017-02-24 15:22:48 : link_cert_from_truststore: Cannot find the signing cert in trust store. <--- Checking for the CA cert in the trust store as per the design
 
## 2017-02-24 15:22:48 : build_untrust_chain: Accept partial path validation level for CA id <243269707>.
## 2017-02-24 15:22:48 : x509_validate_proc
## 2017-02-24 15:22:48 : Next CA: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB,
## 2017-02-24 15:22:48 : ldapIkeInit
## 2017-02-24 15:22:48 : x509_dss_verify
## 2017-02-24 15:22:48 : Verifying cert: CN=services.netscreen.com,OU=COMODO SSL Unified Communications,OU=Issued through Juniper Networks, Inc. E-PKI Manager,O <--- Verification of the certificate
## 2017-02-24 15:22:48 : Cert issued by: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB,
## 2017-02-24 15:22:48 : X509_PUBKEY_get new ret->reference 2
## 2017-02-24 15:22:48 : ASN1_verify -> algo_index=668[alg=0x10274890, RSA-SHA256] type=1DF0E00
## 2017-02-24 15:22:48 : ASN1_verify -> inl=1214
## 2017-02-24 15:22:48 : ASN1_verify -> siglen=256
## 2017-02-24 15:22:48 : EVP_VerifyFinal -> key_type = 6
## 2017-02-24 15:22:48 : RSA_padding_check_PKCS1_type_1: num<256> flen<255> <00000001>
## 2017-02-24 15:22:48 : EVP_PKEY_free reference 1, i 1
## 2017-02-24 15:22:48 : cmp time input<161017000000Z> to current<170224152248Z>
## 2017-02-24 15:22:48 : cmp time input<191017235959Z> to current<170224152248Z>
## 2017-02-24 15:22:48 : pass the certificate DSS check
## 2017-02-24 15:22:48 : use per CA revocation resource.
 

----------------------------CRL check process-----------------------
## 2017-02-24 15:22:48 : checking for revocation.
## 2017-02-24 15:22:48 : ldapStart
## 2017-02-24 15:22:48 : ldapRetrieveCRL
## 2017-02-24 15:22:48 : updatecrlLdapUrl: try asn_obj type general name.
## 2017-02-24 15:22:48 : updatecrlLdapUrl: num1 <1>
## 2017-02-24 15:22:48 : updatecrlLdapUrl: got dp1 <0>
## 2017-02-24 15:22:48 : updatecrlLdapUrl: got fullname num2 <1>
## 2017-02-24 15:22:48 : updatecrlLdapUrl: got ia5 at <0> len <67> <http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl> <--- Retrieving CRL from the CA cert
## 2017-02-24 15:22:48 : CRL URL: pCrlUrl=http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
## 2017-02-24 15:22:48 : _request: trying the embedded settings.
## 2017-02-24 15:22:48 : send_first_crl_request: the http approch.
## 2017-02-24 15:22:48 : send_first_crl_request: url=http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
## 2017-02-24 15:22:48 : httpUrlParser: Success, port=80:
## 2017-02-24 15:22:48 : httpUrlParser: host=<crl.comodoca.com>
## 2017-02-24 15:22:48 : httpUrlParser: urlPath=<GET /COMODORSADomainValidationSecureServerCA.crl>
## 2017-02-24 15:22:48 : httpUrlParser: input url=<http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl>
## 2017-02-24 15:22:48 : openHttpConnection: convert the host name crl.comodoca.com. <--- Resolving the URL
## 2017-02-24 15:22:48 : server IP 104.16.89.188
## 2017-02-24 15:22:48 : Trying to connect host crl.comodoca.com port 80  <--- Initiating a connection to CRL server
#
# 2017-02-24 15:22:48 : Trying to send to socket 206
## 2017-02-24 15:22:48 : openHttpConnection: done <0>.
## 2017-02-24 15:22:48 : ldapStart: exit (-1).
## 2017-02-24 15:22:48 : pki mail received.
## 2017-02-24 15:23:16 : fill_http_data_buf: http data exceeds <2048000> bytes, got <2050048>. <--- Received the CRL of size greater than 2 MB which is the maximum buffer size on ScreenOS devices
## 2017-02-24 15:23:16 : crl_online_responsCRL URL: no Dn
## 2017-02-24 15:22:48 : CRL URL: Scope=0
## 2017-02-24 15:22:48 : CRL URL: no filter
## 2017-02-24 15:22:48 : CRL URL: no attr
## 2017-02-24 15:22:48 : updatecrlLdapUrl: Take ia5 CDP len <67> <http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl>
## 2017-02-24 15:22:48 : send_crle_proc: error fill http data buffer for data from socket <206>.
## 2017-02-24 15:25:45 : check poll pending cert:
## 2017-02-24 15:25:45 : ldapT200Expire
## 2017-02-24 15:25:45 : fail <1> cert verify states.
## 2017-02-24 15:25:45 : ldapNotify_func:cert_path_failure
## 2017-02-24 15:25:45 : build_ike_pki_mail: key_type=0
## 2017-02-24 15:25:45 : delete load node by hash, empty hash value.
SSL VERIFY_CERT_RSP mode <00000000>
SSL VERIFY_CERT_RSP sock(205) wErr:1
SSL: do handshake_func
ssl3_connect start (unknown state)
ssl3_connect loop(unknown state)
## 2017-02-24 15:25:45 : lib=20 func=137 reason=178 file=ssl_nscert.c line=968
## 2017-02-24 15:25:45 : bio_write, before bwrite.
## 2017-02-24 15:25:45 : buffer_write: <7>
## 2017-02-24 15:25:45 : BIO_copy_next_retry: b<02777cb8>
## 2017-02-24 15:25:45 : BIO_copy_next_retry: b next<02777d84>
SSL3 alert write:fatal:bad certificate   <--- Error device is not able to verify the cert state
ssl3_connect end(unknown state)
SSL_connect:error in unknown state
ssl connect state to SSL_SOCKCTX_INIT
ssl connect (205): connect failed
## 2017-02-24 15:25:45 : http-fx: conn setup/FAIL <54.69.195.193:443>.
ssl close socket(205)
ssl closing connect socket(205)
## 2017-02-24 15:25:45 : http-fx: closed connection to 54.69.195.193 ...
    free ssl sock(205)
## 2017-02-24 15:25:45 : EVP_PKEY_free reference 0, i 0
ConnectionsActive: --

 

Cause:

This behavior is by design.  The buffer capacity to store the CRL on the SSG/ISG/NS devices is 2MB. When the CRL size from Comodo CA exceeds 2 MB, which is greater than the buffer capacity of the Firewall, this issue is observed and attack-DB update fails.

 

Solution:

Disable the CRL check on the firewall with the following command:

# set pki authority <ID number of CA certificate in 'get pki x509 list ca-cert> cert-status revocation-check none

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search