ACE 4710 SSL Problem - x forwarded for

simone_mx · ‎03-23-2011

HI All

I have a this problem with ACE 4710 (A3) device configured "one-armed":

I have configured a https service with ssl certificate on balancer and the client (web service java) negotiates the crypto connection to 112 bit.

Instead if the ssl is established directly to webserver (apache) the crypto connection goes to 256 bit.

If I set only the crypto to 256 bit on balancer, the client not work.

For me is necesary established the ssl encryption on balancer because I must activate the "x forwarded for" to trace the sorce IP.

Can you help me?

yushimaz · ‎03-23-2011

Do you want to prioritize cipher suites?

If so, you can use priority option of cipher config in parameter-map as below.

ACE4710/c2# conf t

Enter configuration commands, one per line. End with CNTL/Z.

ACE4710/c2(config)# parameter-map type ssl ssl_cipher

ACE4710/c2(config-parammap-ssl)# cipher RSA_WITH_AES_256_CBC_SHA priority ?

<1-10> Specify priority for the cipher

ACE4710/c2(config-parammap-ssl)# cipher RSA_WITH_AES_256_CBC_SHA priority 10

ACE4710/c2(config-parammap-ssl)# cipher RSA_EXPORT1024_WITH_RC4_56_MD5 priority 5

ACE4710/c2(config-parammap-ssl)# end

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/ssl/guide/terminat.html#wp1051144

Regards,

Yuji

simone_mx · ‎03-24-2011

I have setted only the cipher RSA_WITH_AES_256_CBC_SHA but the client not work yet.

Is very strange, because if I configure the SSL on the server, the same client work correctly.

yushimaz · ‎03-24-2011

Can you get capture trace during ssl hello? If possible, could you please let me know all cipher suites in client hello?

I want to check whether RSA_WITH_AES_256_CBC_SHA is listed in client hello or not.

If this cipher suite is listed into client hello, ACE should use it and ssl connection will be established.

I also want to check the server hello to check if RSA_WITH_AES_256_CBC_SHA is selected.

Which browser did you use in your test? Did you use the same browser?

If you used different browser in your test, the difference might be related to the client browser.

As far as I remember, IE6 doesn't support AES but firefox supports. AES is supported after IE7 on vista.

I want to make clear the reason why client request failed when only RSA_WITH_AES_256_CBC_SHA is configured.

Capture trace will be the most useful information to investigate the reason.

Regards,

Yuji

simone_mx · ‎03-24-2011

The cipher are the follow:

parameter-map type ssl PM-SSL2

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA priority 2

cipher RSA_WITH_AES_256_CBC_SHA priority 10

cipher RSA_EXPORT1024_WITH_RC4_56_MD5

cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

With this cipher the browser crome negotiates di criptografy to 112 bit. Instead if install only cipher AES_256_ the client crome goes to 256 bit, but the application not work. The connection is not done with browser, but by application.

There are this difference:

certificate ssl on server - conn established

certificate ssl on LB ACE - conn not established

I have attacched the chrome log (in italian) about certificates

yushimaz · ‎03-24-2011

The difference between ACE and server looks ssl version.

Since I cannot read italian, I don't know the detail of attachemnt log

but I found the following message.

# on balancer

la connessione con SSL 3.0.

# on server

la connessione con TLS.

Could you please add 'version TLS1' configuration in parameter-map as below

and check the behavior? If chrome log becomes TLS (which is the same with

server log) but the reault is same, I need more information regarding application.

ACE4710/c2(config)# parameter-map type ssl ssl_cipher

ACE4710/c2(config-parammap-ssl)# version

SSL3 TLS1 all

ACE4710/c2(config-parammap-ssl)# version TLS1

Regards,

Yuji

simone_mx · ‎03-24-2011

I have setted the version TLS1, but the connection fail.

chrome error: Errore 107 (net::ERR_SSL_PROTOCOL_ERROR)

yushimaz · ‎03-24-2011

Umm.. In that case I want capture trace and configuration of ACE to investigate more detail.

Regards,

Yuji

Jorge Bejarano · ‎03-07-2012

You can proceed with the upgrade proactively but I have read some forums about this topic and everything indicates a problem with Chrome and some settings which need to be configured to have it working.

Hope this helps!!!

Jorge

univa741 · ‎11-29-2022

The Caavo web design glasgow seamlessly connects multiple devices, and the voice control on it works quite efficiently. It also provides the option of a good cross-service search that works across a variety of devices. What sets this remote apart is the search capability of this Remote.