cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1145
Views
0
Helpful
1
Replies

CSS Backend-Ssl (bad record mac) problem

dbeynaerts
Level 1
Level 1

Hi,

First things first :

Version: sg0720104 (7.20 Build 104)

Flash (Locked): 7.20 Build 3

Flash (Operational): 7.20 Build 104

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

System Resources for CSS501-SCM-INT:

Installed Memory: 268,435,456 (256 MB)

Free Memory: 138,374,800 (131 MB)

We have the following config :

ssl-proxy-list MyFirm

ssl-server 115

ssl-server 115 rsakey websitekey

ssl-server 115 rsacert websitecert

ssl-server 115 vip address 1.1.1.1

ssl-server 115 cipher rsa-with-rc4-128-md5 1.1.1.1 8080

ssl-server 115 unclean-shutdown

backend-server 3

backend-server 3 ip address 2.2.2.2

backend-server 3 port 8080

backend-server 3 server-ip 2.2.2.2

backend-server 3 cipher rsa-with-rc4-128-md5

active

service Website

ip address 2.2.2.2

keepalive type ssl

keepalive port 443

type ssl-accel-backend

add ssl-proxy-list MyFirm

active

service ssl_module

type ssl-accel

slot 2

add ssl-proxy-list MyFirm

keepalive type none

active

content Website_Ssl

add service ssl_module

advanced-balance ssl

application ssl

vip address 1.1.1.1

protocol tcp

port 443

active

content Website

add service Website

vip address 1.1.1.1

advanced-balance arrowpoint-cookie

arrowpoint-cookie browser-expire

protocol tcp

port 8080

active

group Website

vip address 1.1.1.1

add destination service Website

active

Now what is the problem ? The problem is the backend connection to the server. Until now I'm not able to make this

thing work. According to the documentation of the backend server (is a proprietary product) the server should support

the rsa-with-rc4-128-md5 cipher. When I connect directly to this server (using Internet explorer) I can see that I

have an 128 bit encrypted session using RSAMD5. Unfortunately when I snif the traffic between the CSS and the Backend

server i notice that the connection gets aborted. Here is what is happening :

- Three-way handshake is OK

- CSS -> Backend : SSL v3 Client Helo (Cipher Suite : TLS_RSA_WITH_RC4_128_MD5) -> OK

- Backend -> CSS : SSL v3 Server Helo, Certificate, Server Helo Done (Cipher Suite : TLS_RSA_WITH_RC4_128_MD5) -> OK

- CSS -> Backend : SSL v3 Client Key Exchange -> OK

- CSS -> Backend : SSL v3 Change Cypher Spec -> OK ? (see next, don't know wich one is screwing up)

- Backend -> CSS : Incorrect Checksum message - > Problem

- CSS -> Backend : SSL v3 Encrypted Handshake Message -> OK ?

- Backend -> CSS : SSL v3 Alert (Level : Fatal, Description : Bad record MAC) -> Probably a result of the bad checksum

Next the connection is terminated (FIN, FIN-ACK, ACK)

My Question ? Has anybody expierienced the same behavior (SSL working perfectly for other sites (including backend

ssl)) ? And any ideas on how I can troubleshoot this in order to get this fixed. We already opened a case with our

reseller (and they opened a case at Cisco), and that was two weeks ago. People are getting inpatient, so this is why

I'm trying my luck over here ...

Kind regards

Ronny.Geerkens@pandora.Be

1 Reply 1

seilsz
Level 4
Level 4

The change Change Cipher Spec message is normal, and should also be received by the client (from the server).

The bad_record_mac message normally means that the one way hash computed on receipt of a message does not match the hash generated when the message was sent - aka the contents have been altered in transit.

In your example, you have:

- CSS -> Backend : SSL v3 Client Key Exchange

- CSS -> Backend : SSL v3 Change Cypher Spec

- CSS -> Backend : SSL v3 Encrypted Handshake Message

all listed on seperate lines. Is this because you see them in different packets in your trace?

Can you post (or email) the full packet capture?

~Zach

seils@netsolve.net

Review Cisco Networking for a $25 gift card