11-05-2004 04:56 AM
Hi,
First things first :
Version: sg0720104 (7.20 Build 104)
Flash (Locked): 7.20 Build 3
Flash (Operational): 7.20 Build 104
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
System Resources for CSS501-SCM-INT:
Installed Memory: 268,435,456 (256 MB)
Free Memory: 138,374,800 (131 MB)
We have the following config :
ssl-proxy-list MyFirm
ssl-server 115
ssl-server 115 rsakey websitekey
ssl-server 115 rsacert websitecert
ssl-server 115 vip address 1.1.1.1
ssl-server 115 cipher rsa-with-rc4-128-md5 1.1.1.1 8080
ssl-server 115 unclean-shutdown
backend-server 3
backend-server 3 ip address 2.2.2.2
backend-server 3 port 8080
backend-server 3 server-ip 2.2.2.2
backend-server 3 cipher rsa-with-rc4-128-md5
active
service Website
ip address 2.2.2.2
keepalive type ssl
keepalive port 443
type ssl-accel-backend
add ssl-proxy-list MyFirm
active
service ssl_module
type ssl-accel
slot 2
add ssl-proxy-list MyFirm
keepalive type none
active
content Website_Ssl
add service ssl_module
advanced-balance ssl
application ssl
vip address 1.1.1.1
protocol tcp
port 443
active
content Website
add service Website
vip address 1.1.1.1
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
protocol tcp
port 8080
active
group Website
vip address 1.1.1.1
add destination service Website
active
Now what is the problem ? The problem is the backend connection to the server. Until now I'm not able to make this
thing work. According to the documentation of the backend server (is a proprietary product) the server should support
the rsa-with-rc4-128-md5 cipher. When I connect directly to this server (using Internet explorer) I can see that I
have an 128 bit encrypted session using RSAMD5. Unfortunately when I snif the traffic between the CSS and the Backend
server i notice that the connection gets aborted. Here is what is happening :
- Three-way handshake is OK
- CSS -> Backend : SSL v3 Client Helo (Cipher Suite : TLS_RSA_WITH_RC4_128_MD5) -> OK
- Backend -> CSS : SSL v3 Server Helo, Certificate, Server Helo Done (Cipher Suite : TLS_RSA_WITH_RC4_128_MD5) -> OK
- CSS -> Backend : SSL v3 Client Key Exchange -> OK
- CSS -> Backend : SSL v3 Change Cypher Spec -> OK ? (see next, don't know wich one is screwing up)
- Backend -> CSS : Incorrect Checksum message - > Problem
- CSS -> Backend : SSL v3 Encrypted Handshake Message -> OK ?
- Backend -> CSS : SSL v3 Alert (Level : Fatal, Description : Bad record MAC) -> Probably a result of the bad checksum
Next the connection is terminated (FIN, FIN-ACK, ACK)
My Question ? Has anybody expierienced the same behavior (SSL working perfectly for other sites (including backend
ssl)) ? And any ideas on how I can troubleshoot this in order to get this fixed. We already opened a case with our
reseller (and they opened a case at Cisco), and that was two weeks ago. People are getting inpatient, so this is why
I'm trying my luck over here ...
Kind regards
11-05-2004 07:37 AM
The change Change Cipher Spec message is normal, and should also be received by the client (from the server).
The bad_record_mac message normally means that the one way hash computed on receipt of a message does not match the hash generated when the message was sent - aka the contents have been altered in transit.
In your example, you have:
- CSS -> Backend : SSL v3 Client Key Exchange
- CSS -> Backend : SSL v3 Change Cypher Spec
- CSS -> Backend : SSL v3 Encrypted Handshake Message
all listed on seperate lines. Is this because you see them in different packets in your trace?
Can you post (or email) the full packet capture?
~Zach
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide