10-04-2007 09:04 AM
Hi,
I'm having a problem with configuring end-to-end SSL as documented in Section 5 of the ACE SSL guide.
Without the ssl-proxy definition it "works" in the sense that the response is HTTPS format from either of the real servers.
If I add
ssl-proxy server PSERVICE_SERVER into
policy-map multi-match LB-VIP
class VIP-CATHY-https
loadbalance vip inservice
loadbalance policy VIP-LB-CATHY-https
then it fails and a wireshark trace shows a Handshake Failure - but no helpful details.
What I'm trying to do is terminate and re-initiate the SSL traffic to the two real servers.
Am I missing something obvious? The configuration of my Test context is attached.
Kind Regards
Cathy
10-10-2007 11:38 AM
Check this bug information :CSCsg04254
10-10-2007 10:28 PM
Thank you.
I don't have access to the bug database - so if you could copy it to here that would be helpful.
I think I've got a config that works. I hadn't grasped the necessity for a layer 7 policy to make it work. Also I needed to set the close-protocol in the SSL parameters to be none rather than strict (default).
Kind Regards
Cathy
10-11-2007 01:29 AM
Cathy, are you using IE ??
If yes, could you try another brother like mozilla.
Are you using certificate group ?
Is the total size bigger than 4k ?
Gilles.
10-11-2007 03:25 AM
I was using IE. By chance I saw another query on here that mentioned the close-protocol option.
I don't think the chaingroup exceeded 4K - but it was probably borderline. I took out the server certificate and just left in the 3 GlobalSign certificates. I couldn't see the point of including it in the chain as well as in the server definition.
I think I have it working - it was just a lot more complicated than I thought it would be. It would be useful if the manual had an example of an end-to-end configuration rather than just referring to Ch4 and Ch3.
Thank you for your help.
Kind Regards
Cathy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide