Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2771
Views
0
Helpful
9
Replies

ACE 4710 SSL Problem - x forwarded for

simone_mx
Level 1
Level 1

‎03-23-2011 08:36 AM

HI All

I have a this problem with ACE 4710 (A3) device configured "one-armed":

I have configured a https service with ssl certificate on balancer and the client (web service java) negotiates the crypto connection to 112 bit.

Instead if the ssl is established directly to webserver (apache) the crypto connection goes to 256 bit.

If I set only the crypto to 256 bit on balancer, the client not work.

For me is necesary established the ssl encryption on balancer because I must activate the "x forwarded for" to trace the sorce IP.

Can you help me?

Labels:
0 Helpful
9 Replies 9

yushimaz
Cisco Employee
Cisco Employee

‎03-23-2011 07:28 PM

Do you want to prioritize cipher suites?

If so, you can use priority option of cipher config in parameter-map as below.

ACE4710/c2# conf t

Enter configuration commands, one per line.  End with CNTL/Z.

ACE4710/c2(config)# parameter-map type ssl ssl_cipher

ACE4710/c2(config-parammap-ssl)# cipher RSA_WITH_AES_256_CBC_SHA priority ?

  <1-10>  Specify priority for the cipher

ACE4710/c2(config-parammap-ssl)# cipher RSA_WITH_AES_256_CBC_SHA priority 10

ACE4710/c2(config-parammap-ssl)# cipher RSA_EXPORT1024_WITH_RC4_56_MD5 priority 5

ACE4710/c2(config-parammap-ssl)# end

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/ssl/guide/terminat.html#wp1051144

Regards,

Yuji

0 Helpful

simone_mx
Level 1
Level 1
In response to yushimaz

‎03-24-2011 12:29 AM

I have setted only the cipher RSA_WITH_AES_256_CBC_SHA but the client not work yet.

Is very strange, because if I configure the SSL on the server, the same client work correctly.

0 Helpful

yushimaz
Cisco Employee
Cisco Employee
In response to simone_mx

‎03-24-2011 12:56 AM

Can you get capture trace during ssl hello? If possible, could you please let me know all cipher suites in client hello?

I want to check whether RSA_WITH_AES_256_CBC_SHA is listed in client hello or not.

If this cipher suite is listed into client hello, ACE should use it and ssl connection will be established.

I also want to check the server hello to check if RSA_WITH_AES_256_CBC_SHA is selected.

Which browser did you use in your test? Did you use the same browser?

If you used different browser in your test, the difference might be related to the client browser.

As far as I remember, IE6 doesn't support AES but firefox supports. AES is supported after IE7 on vista.

I want to make clear the reason why client request failed when only RSA_WITH_AES_256_CBC_SHA is configured.
Capture trace will be the most useful information to investigate the reason.

Regards,

Yuji

0 Helpful

simone_mx
Level 1
Level 1
In response to yushimaz

‎03-24-2011 03:30 AM

The  cipher are the follow:

parameter-map type ssl PM-SSL2

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA priority 10

  cipher RSA_EXPORT1024_WITH_RC4_56_MD5

  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

With this cipher the browser crome negotiates di criptografy to 112 bit. Instead if install only cipher  AES_256_ the client crome goes to 256 bit, but the application not work. The connection is not done with browser, but by application.

There are this difference:

certificate ssl on server - conn established

certificate ssl on LB ACE - conn not established

I have attacched the chrome log (in italian) about certificates

Preview file
34 KB
0 Helpful

yushimaz
Cisco Employee
Cisco Employee
In response to simone_mx

‎03-24-2011 05:21 AM

The difference between ACE and server looks ssl version.

Since I cannot read italian, I don't know the detail of attachemnt log

but I found the following message.

# on balancer

la connessione con SSL 3.0.

# on server

la connessione con TLS.

Could you please add 'version TLS1' configuration in parameter-map as below

and check the behavior? If chrome log becomes TLS (which is the same with

server log) but the reault is same, I need more information regarding application.

ACE4710/c2(config)# parameter-map type ssl ssl_cipher

ACE4710/c2(config-parammap-ssl)# version

SSL3  TLS1  all

ACE4710/c2(config-parammap-ssl)# version TLS1

Regards,

Yuji

0 Helpful

simone_mx
Level 1
Level 1
In response to yushimaz

‎03-24-2011 05:27 AM

I have setted the version TLS1, but the connection fail.

chrome error: Errore 107 (net::ERR_SSL_PROTOCOL_ERROR)

0 Helpful

yushimaz
Cisco Employee
Cisco Employee
In response to simone_mx

‎03-24-2011 06:05 AM

Umm.. In that case I want capture trace and configuration of ACE to investigate more detail.

Regards,

Yuji

0 Helpful

Jorge Bejarano
Level 4
Level 4

‎03-07-2012 07:29 PM

You can proceed with the upgrade proactively but I have read some forums about this topic and everything indicates a problem with Chrome and some settings which need to be configured to have it working.

Hope this helps!!!

Jorge

0 Helpful

univa741
Level 1
Level 1

‎11-29-2022 10:37 AM - edited ‎12-15-2022 07:31 AM

The Caavo web design glasgow seamlessly connects multiple devices, and the voice control on it works quite efficiently. It also provides the option of a good cross-service search that works across a variety of devices. What sets this remote apart is the search capability of this Remote.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card