WebVPN : error "MD2withRSA is disabled" in JAVA

Unanswered Question
Nov 13th, 2009


We are running WebVPN on a VPN 3005 version 4.1.7.R. Every thing was correct until the installation of the last release of JAVA 6 Standard Edition on the client side (Windows XP).

This last version of JAVA is 1.6.0-17

and when we try to activate the port forwarding (Start Application Access), it fails and the JAVA log displays the following error message :

algorithm check failed: MD2withRSA is disabled

In the release notes of JAVA 1.6.0.-17, we found that they "disable MD2 in certificate chain validation" (certainly to follow CVE-2009-2049).

Has anyone found a solution to circumvent this issue (except to go back to a previous version like 1.6.0-16)

Best regards,

Guy Widloecher

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Herbert Baerten Sun, 11/15/2009 - 02:59

Hello Guy,

I've never seen this problem before, but from what you're telling us it seems that the VPN3k is using a certificate that uses MD2 (a hashing algorithm that is not secure, which is why the newest Java disables certificate checking when MD2 is used).

So the solution would be to install a new SSL server certificate that does not use MD2 but uses MD5 or SHA.

It's also possible that MD2 also used in the CA cert (or in any of the intermediary CA certs if you have a hierarchical PKI infrastructure). In that case you'll need to get a new CA certificate (chain) as well.



gwidloecher Mon, 11/16/2009 - 04:29

Hello Herbert,

Thank you for your help but I don't think it's the right way : I checked the SSL certificate and the CA certificate (there is no intermediary CA certificate), they don't use MD2 (they use MD5).

Best regards,

Guy Widloecher

alfredos Wed, 01/13/2010 - 03:27

Good day,

Any hint on this? I am seeing this on Snow Leopard, 10.6.2 with all updates as of right now, IOS 12.4(20)T and other I can't ckeck right now, both with the default self-signed certificates.

I'm going to setup a test CA and issue a certificate, and see what happens.

Herbert Baerten Tue, 01/19/2010 - 04:00

Hello Alfredo, Guy,

my apologies, I realize now that I mid-read Guy's initial post, and assumed the error was referring to the concentrator's certificate, while in fact it is referring to the certificate that Cisco used to sign the port forwarding Java applet.

There is a bug out for this:

CSCtd87060    SSLVPN: Portforwarding does not work with JVM 1.6 update 15 or later

However this bug only applies to IOS, not VPN3000

Since the VPN3000 is past the end-of-maintenance stage in it's EoL process, no software updates are released for it anymore, so I'm afraid the only thing you can do, besides considering replacing the concentrator with an ASA, is to keep the old Java version on the clients (or check with Sun if this security check for MD2 can be disabled somehow - I have not found a way so far).


alfredos Tue, 01/19/2010 - 07:25

Good day,

Thanks for your answer! I went to Bug Toolkit and got this:

Information contained within bug ID CSCtd87060 is only available to Cisco employees

I checked the option to see it, stating I saw it in documentation in cisco.com, which seemed to me the most appropriate. Anyway, I'm only interested in Fixed-In (for IOS), upgrade to that version (or latest of its train) and call it problem solved. May I ask if you could let us know what version is it fixed in, or approve my looking into the details of the bug?


Herbert Baerten Tue, 01/19/2010 - 11:28

The bug is currently not fixed in any publicly available software version. It will be in 15.1(1)T, and normally it will also appear in rebuilds of older releases, so in 15.0(1)Mx, in 12.4(24)Tx etc. I cannot guarantee this right now, or tell you which versions exactly yet.

The bug should be visible in Bug Toolkit in a few days though, so you will be able to track it there.

gwidloecher Fri, 01/22/2010 - 00:45

Hello Herbert,

Thank you for your help. Of course, about the VPN 3000 boxes, the right answer will be an upgrade to a supported concentrator.

Best regards,



This Discussion