Can't communicate SSL to backend web proxys

v.hanna · ‎05-19-2005

Are there any known issues relating to using self signed certificates to the backend?

We are unable to negotiate a successful SSL session via the web through the CSS to backend servers.

Software version is sg07.30.3.13s

Gilles Dufour · ‎05-19-2005

Where is the self signed certificate ?

Is it on CSS or on server ?

Is the server doing client authentication ?

Self signed certificate should work, whatever config you have, but it requires to make sure the certificate is *trusted* by the remote peer.

Gilles.

v.hanna · ‎05-19-2005

The SSL Module within the CSS conducts the client auth and encryption.

The self signed is being used to the backend purely for encryption purposes.

Victor

Gilles Dufour · ‎05-20-2005

Vctor,

are you doing backend-ssl [client-CSS encrypted and als o css-server encrypted] or ssl-initiation [client-css cleartext and css-server encrypted] ?

For backend-ssl a sample config is at :

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080220dab.shtml

If you are doing ssl initiation this is different from backend-ssl.

The config is slightly different as described here :

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a22.html

Also, SSL initiation requires version 7.40 at the minimum.

Gilles.

v.hanna · ‎05-22-2005

Backend-ssl.

We have found the cause of the issue. It was a bad self signed cert created by the backend webseal proxy. We re-cut a self signed cert on an Apache box and after reimporting this it fixed the issue.

Thanks for you help.

Victor