configure SSL termination problem

julxu · ‎01-23-2006

I have configured SSL termination and the test is not successful.

my local http server is 10.1.1.1 with port 7778 and it also has a SSL server currently running on port 443.

I need replace setup SSL termination so, server's admin can disable SSL on the unix server.

question:

can I setup SSL termination and test it when the local server SSL server is actived?

Any comments will be appreciated

Thanks in advance

julxu · ‎01-23-2006

question 2:

since no get reply at this time, I add more:

I have configured:

ssl-proxy-list ssl-staffonlinetest

ssl-server 20

ssl-server 20 rsacert staffonlinetestcert

ssl-server 20 rsakey staffonlinetestkey

ssl-server 20 vip address 10.2.2.131

description "staffonline-dev1 SSL list"

ssl-server 20 cipher rsa-export1024-with-rc4-56-sha 10.2.2.131 81

ssl-server 20 cipher rsa-export1024-with-des-cbc-sha 10.2.2.131 81

ssl-server 20 cipher rsa-export-with-des40-cbc-sha 10.2.2.131 81

ssl-server 20 cipher rsa-export-with-rc4-40-md5 10.2.2.131 81

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 10.2.2.131 81

ssl-server 20 cipher rsa-with-des-cbc-sha 10.2.2.131 81

ssl-server 20 cipher rsa-with-rc4-128-sha 10.2.2.131 81

ssl-server 20 cipher rsa-with-rc4-128-md5 10.2.2.131 81

active

service ssl-staffonlinetest1

type ssl-accel

slot 3

keepalive type none

add ssl-proxy-list ssl-staffonlinetest

active

service staffonline-bronson-7778

ip address 10.1.1.42

protocol tcp

port 7778

keepalive type tcp

keepalive port 7778

active

nql SSL-81

ip address 10.2.2.131 255.255.255.255

nql VIP-443

ip address 10.2.2.131 255.255.255.255

owner SSL-owner

content ssl-staffonlinetest-rule

application ssl

port 443

protocol tcp

advanced-balance ssl

add service ssl-staffonlinetest1

vip address 10.2.2.131

content ssl-staffonlinetest-rule2

balance aca

protocol tcp

vip address 10.2.2.131

port 81

add service staffonline-bronson-7778

acl 5

clause 11 permit tcp any destination nql VIP-443 eq 443

clause 160 permit tcp nql UWS destination nql SSL-81 eq 81

and it crash the local server. the two port going to down.

am I configure anything wrong?

when the unix server 443 port is up, can I test SSL termination? do I need ask them disable SSL server first?

any comment will be appreciated

Thanks in advance

julxu

Gilles Dufour · ‎01-23-2006

Julxu,

I have a few comments to make.

First, you should remove the 'application ssl' and 'advanced-balance ssl' command from your content rule.

With these commands you will reduce the performance of the CSS and they are useless anyway.

We need these commands when you have multiple devices doing ssl and you want to stick based on sslid.

In this case, only 1 service is attached to the rule, so there is no need of stickyness.

Then, I'm not sure what crashed.

Is it the CSS or the server ?

If the server, I would suggest to check with the server experts. There is no reason for the CSS to cause a crash on another device.

Is it simply because your server can't handle the load ?

You can test ssl termination even if the server port 443 is up.

If the traffic is sent to the vip, the CSS will terminate ssl and the server will never be aware that the initial connections was ssl.

Don't forget to activate your rules.

Use a 'sho summary' to verify if you have any traffic hitting the content rules.

Make sure the server response goes back to the CSS and not to the client directly.

Regards,

Gilles.

Thanks for rating.

julxu · ‎01-24-2006

thanks for the reply.

one more question, at my configuration there is content rule 2 using port 81.

and I have to make firewall hole for the port 81 to outside, otherwise the whole thing not work.

however, I find I can direct connect

http://10.2.2.2:81 without ssl. it is not good that all.

Could you please advice if possible to stop that.

Many regards

Gilles Dufour · ‎01-24-2006

there is no reason to open up port 81 on your firewall.

There should be no traffic sent out of the CSS with port 81.

The port 81 content rule is only used inside the CSS.

You should capture a sniffer trace and verify why traffic is coming out with port 81.

Gilles.

julxu · ‎01-24-2006

how can I sniffer on CSS?

however, I think for some reason, my pc is directed connect to port 81:

# sh flows 10.3.3.51

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.3.3.51 2418 10.2.2.131 81 10.1.1.42 TCP SSL-3 1/2-111

10.3.3.51 2418 10.2.2.131 443 0.0.0.0 TCP 1/1 SSL-3

10.3.3.51 2415 10.2.2.131 81 10.1.1.42 TCP SSL-3 1/2-111

10.3.3.51 2416 10.2.2.131 81 10.1.1.42 TCP SSL-3 1/2-111

10.3.3.51 2417 10.2.2.131 81 10.1.1.42 TCP SSL-3 1/2-111

10.3.3.51 2417 10.2.2.131 443 0.0.0.0 TCP 1/1 SSL-3

Gilles Dufour · ‎01-24-2006

this info does not indicate traffic going out to/from port 81.

It does not show the natted port - 7778.

What you see is your PC coming on interface 1/1 port 443. [2nd line] and then you see the CSS-SSL module opening connection spoofing the client ip and going to 10.2.2.131:81 which is your content rule.

This should be nated to your server ip and port.

If you do a simple search on this website you should find a way to configure span port on the CSS.

Look for "Configuring SPAN on a CSS".

This is to capture sniffer trace from a PC attached to the CSS.

Gilles.