ACE LOAD BALANCER - secure tls renegotiation

tzografos · ‎12-08-2011

I have a cisco ace loadbalancer and a server farm behind it.

We have implemented sll-to-ssl termination, but we are facing certain problems with opera browser and android mobiles.

On both we get "The server does not support secure TLS renegoriation...."

Running the following: openssl s_client -connect aaa.bbb.ccc.ddd:443

On the load balancer we get:

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID:

Session-ID-ctx:

Master-Key: xxxxxxxxx

Key-Arg : None

Krb5 Principal: None

Start Time: 1323349587

Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

On one of the servers from the farm we get:

ew, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : DHE-RSA-AES256-SHA

Session-ID: yyyyyyy

Session-ID-ctx:

Master-Key: xxxxxxxx

Key-Arg : None

Krb5 Principal: None

Start Time: 1323349689

Timeout : 300 (sec)

Verify return code: 0 (ok)

Is there any connection to our problem with this outputs ?

Does anyone have any idea on how to solve this problem ?

Thanks in advance

Daniel Arrondo Ostiz · ‎12-09-2011

Hi Thanassis,

TLS renegotiation was disabled in all Cisco devices due to a vulnerability of the protocol. Check

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml for more details

Since the renegotiation was disabled for security reasons, there is no way to enable it back, so you should rather be looking for a way to force your browsers not to require this option to be enabled. I would suggest you to contact the Opera support team.

Regards

Daniel

kkataja · ‎12-13-2011

I am not aware of any Cisco ACE version that supports RFC 5746, unfortunately.