Cisco Cisco ACE Application Control Engine Module
15
Release Note for the Cisco Application Control Engine Module
OL-22471-01
New Software Features in Version A2(2.0)
•
SSL CRL lookup cache hits
•
SSL authentication cache hits
If a valid non-expired CRL is cached in the ACE, no CRL lookups are performed and the following show
stats crypto client counters will not increment together by the same connection:
stats crypto client counters will not increment together by the same connection:
•
SSL best effort CRL lookups
•
SSL CRL lookup cache hits
When the SSL connection to the SSL real server fails because of a revoked server certificate, the
following show stats crypto client counters increment:
following show stats crypto client counters increment:
•
SSL alert CERTIFICATE_REVOKED sent
•
Total SSL server authentications
•
Failed SSL server authentications
•
SSL best effort CRL lookups or SSL static CRL lookups
To disable the use of a downloaded CRL during server authentication, enter the following command:
host1/Admin(config-ssl-proxy)# no crl CRL1
To disable the use of server certificates for CRL information during server authentication, enter the
following command:
following command:
host1/Admin(config-ssl-proxy)# no crl best-effort
Configuring Downloaded CRLs for Server Authentication
You can configure a CRL that the ACE downloads on the SSL proxy service for server authentication.
If the service is not configured on a policy map or the policy map is not active, the ACE does not
download the CRL. The ACE downloads the CRL under the following conditions:
If the service is not configured on a policy map or the policy map is not active, the ACE does not
download the CRL. The ACE downloads the CRL under the following conditions:
•
When you first configure the CRL and apply it to an active Layer 4 policy map as an action. See the
Cisco Application Control Engine Module SSL Configuration Guide for software version A2(1.0).
Cisco Application Control Engine Module SSL Configuration Guide for software version A2(1.0).
•
When you reload the ACE.
•
When the NextUpdate arrives, as provided within the CRL itself, the ACE reads this information
and updates the CRL based on it. The ACE downloads the updated CRL upon the next server
authentication request.
and updates the CRL based on it. The ACE downloads the updated CRL upon the next server
authentication request.
You can configure a maximum of eight CRLs per context. After you configure the CRL, assign it to an
SSL proxy service for server authentication (see the
SSL proxy service for server authentication (see the
section).
The ACE translates the hostnames within the CRLs to IP addresses using a Domain Name System (DNS)
client that you configure. For details about configuring a DNS client, see the Cisco Application Control
Engine Module SSL Configuration Guide for software version A2(1.0).
client that you configure. For details about configuring a DNS client, see the Cisco Application Control
Engine Module SSL Configuration Guide for software version A2(1.0).
To configure a downloaded CRL, use the crypto crl command in configuration mode. The syntax of this
command is as follows:
command is as follows:
crypto crl crl_name url
The arguments are as follows:
•
crl_name—Name that you want to assign to the CRL. Enter an unquoted text string with a maximum
of 64 alphanumeric characters.
of 64 alphanumeric characters.