Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS SSL Vpn MD2withRSA is disabled

Hi Guys,

I have a customer with ssl vpn enabled, and they are getting an error when trying to startup the webvpnportforward applet.  It looks like this error has been discussed on the support forums, but nothing has been resolved.  Aside from uninstalling java se 6u17 and reinstalling 6u16, is there any fix?

Thanks!

Chris

Everyone's tags (4)
1 REPLY
New Member

Re: IOS SSL Vpn MD2withRSA is disabled

Hi Chris,

I just encountered this error when trying to use SDM on a router. You're correct that it's caused by u17 of the JRE which has now disabled md2 and doesn't appear to give any granular control of which algorithms are enabled or disabled. I tried upgrading to u18 but that didn't solve it either - looks like Sun have decided that it's now defunct.

Anyway, after a lot of messing around I've finally got it working again without downgrading by following the steps below (note that I don't know if this will solve your ssl vpn prob but it seems similar). In summary the problem is that the applet itself has an md5 cert but the certificate chain uses md2 certificates from Verisign.

1. Run Internet Explorer and go to Tools->Options->Advanced and untick the 'use JRE 1.6.blah blah' under the Java (Sun) category. Press OK and restart IE.

2. Open the same URL that was giving you the error. You should get an IE security warning asking if you wish to Run the applet. Click on the View Certificate button.

3. Click on the Certificate Path option and you should see the applet as the third in the chain with two Verisign certificates above it. For each of these verisign certificates you need to view it, click on the details tab and then 'save to file' button to export the certificate. Export each certificate as DER and save somewhere handy.

4. Open the Java control panel application and click on the security tab and then the 'Certificates' button.

5. For each category in the drop down box (Trusted certificates, secure site, secure site ca, signer ca) import both certificates that you previously exported.

6. Click Apply and close the Java control panel.

7. In IE change your advanced option back to using the Sun JRE.

8. Restart IE and it should now work.

Note that for step 5 I'm sure you don't actually need all of the categories but I couldn't be bothered to work out which it is.

This hack works because the JRE doesn't bother checking the algorithm used if the certificate is listed as trusted. I'll attach the two certificates I exported but I can't guarantee that they're the same ones you need for your applet so you're better off following the steps above completely.

Hope this helps you out, looks like a few people are having similar problems too.

Good luck,

Dave

4385
Views
0
Helpful
1
Replies
CreatePlease to create content