topic Re: Problems SSL Initiation CSS11506 with SSL module in Application Networking

Problems SSL Initiation CSS11506 with SSL module

eddiemeijer — Tue, 14 Jun 2005 20:43:40 GMT

We have a CSS11506 with SSL module.

We want to initiate a SSL session with a client certificate to a backend server running IIS 5.0 and doing certificate mapping.

We see in the traces that the SSL handshaking is performed but for some reason the SSL module does not send the client certificate. When i import the Certificates into a browser and connect directly to the server with ssl it is working. So it seems that the client trust and certificate check etc. on the remote server side is working.

Certificate and Key file are verified and ok.

- What does the CACert check exactly do? because when you connect with a browser you get a warning that e.g. the hostname does not match the certificate name. But the browser can ignore this. Does the CSS do this as well?

- Does the CSS has to lookup all the URL´s in the certificate? then we have a problem because our CSS is in a DMZ with no DNS resolving. So I have to put in host names but they can only be 16 char. long. and the issuing server Url is longer then 16 char.

- Does anybody has experience with connecting to a remote IIS5.0 server via a backend-server construction.?

Here are some configs:

content YYY-ACC-TKR-OUT

add service YYY-TKR-ACC

advanced-balance arrowpoint-cookie

vip address 192.168.9.103

protocol tcp

port 80

active

service YYY-TKR-ACC

protocol tcp

add ssl-proxy-list YYY-TKR-ACC

keepalive type none

port 80

ip address 193.X.X.X

type ssl-init

slot 6

active

ssl-proxy-list YYY-TKR-ACC

backend-server 1

backend-server 1 ip address 193.X.X.X

backend-server 1 type initiation

backend-server 1 rsacert YYY-TKR-ACC

backend-server 1 rsakey YYY-TKR-ACC-KEY

backend-server 1 server-ip 193.X.X.X

backend-server 1 cacert YYY-TKR-ACC-CA

backend-server 1 cipher rsa-with-rc4-128-md5

active

Re: Problems SSL Initiation CSS11506 with SSL module

Gilles Dufour — Wed, 15 Jun 2005 06:39:04 GMT

what do you see in the trace exactly ?

Is the server sending the certificate request ?

Is the CSS reseting the connection ?

Is there an Alert being sent ?

I would like to see this sniffer trace if possible.

The config looks good and the CSS does not care about certificate name and DNS name.

Regards,

Gilles.

Re: Problems SSL Initiation CSS11506 with SSL module

eddiemeijer — Wed, 15 Jun 2005 08:29:16 GMT

Gilles,

hereby a trace file.. We are leving out network with the 145.x.x.x adress and the server is the 193.x.x.x.x

Re: Problems SSL Initiation CSS11506 with SSL module

Gilles Dufour — Thu, 16 Jun 2005 12:26:56 GMT

I checked the trace and the server is not following the correct TLS procedure.

After the server certificate, the server should send a certificate_request message but instead it is sending a serverhellodone message which tells the CSS to keep going without sending its certificate.

This is explain in section 7.4.5 and 7.4.6 of the RFC.

http://www.faqs.org/rfcs/rfc2246.html

I don't what type of server you are using but there is definitely an issue on their side.

Gilles.

Re: Problems SSL Initiation CSS11506 with SSL module

eddiemeijer — Fri, 17 Jun 2005 14:14:30 GMT

Gilles,

Beneath the answer from a Microsoft engineer. I understand that IIS is not asking for a client certificate in the initial negotiation. When a Certificate is needed IIS will renegotiate the SSL connection.

Is there anyway the SSL module can anticipate on this behaviour.???

thnks,

Eddie

---------------------------------------------

With IIS we may also not ask the client to provide a client certificate during the initial SSL negotiation as we may not immediately know that we will need the client to provide a certificate for every request. This is in line with the RFC:-

7.4.4. Certificate request

When this message will be sent: A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite.

If the Cisco device is closing the connection if it has not been asked to provide a client certificate during the first SSL negotiation this does not necessarily point to a problem with IIS so we need to understand a little bit more about how the Cisco device is expecting IIS to behave as at the moment I do not see an obvious problem with how IIS is responding.

When IIS determines that client certificates are required it will re-negotiate the SSL connection asking for the client to provide a certificate.