ACE: Problem with end-to-end SSL

ciscocsoc · ‎10-04-2007

Hi,

I'm having a problem with configuring end-to-end SSL as documented in Section 5 of the ACE SSL guide.

Without the ssl-proxy definition it "works" in the sense that the response is HTTPS format from either of the real servers.

If I add

ssl-proxy server PSERVICE_SERVER into

policy-map multi-match LB-VIP

class VIP-CATHY-https

loadbalance vip inservice

loadbalance policy VIP-LB-CATHY-https

then it fails and a wireshark trace shows a Handshake Failure - but no helpful details.

What I'm trying to do is terminate and re-initiate the SSL traffic to the two real servers.

Am I missing something obvious? The configuration of my Test context is attached.

Kind Regards

Cathy

bwilmoth · ‎10-10-2007

Check this bug information :CSCsg04254

ciscocsoc · ‎10-10-2007

Thank you.

I don't have access to the bug database - so if you could copy it to here that would be helpful.

I think I've got a config that works. I hadn't grasped the necessity for a layer 7 policy to make it work. Also I needed to set the close-protocol in the SSL parameters to be none rather than strict (default).

Kind Regards

Cathy

Gilles Dufour · ‎10-11-2007

Cathy, are you using IE ??

If yes, could you try another brother like mozilla.

Are you using certificate group ?

Is the total size bigger than 4k ?

Gilles.

ciscocsoc · ‎10-11-2007

I was using IE. By chance I saw another query on here that mentioned the close-protocol option.

I don't think the chaingroup exceeded 4K - but it was probably borderline. I took out the server certificate and just left in the 3 GlobalSign certificates. I couldn't see the point of including it in the chain as well as in the server definition.

I think I have it working - it was just a lot more complicated than I thought it would be. It would be useful if the manual had an example of an end-to-end configuration rather than just referring to Ch4 and Ch3.

Thank you for your help.

Kind Regards

Cathy