09-10-2014 07:24 PM
Hi,
We've inherited a pair of ACE30 modules running A5(2.1) that have a config that appears to be terminating SSL, however there's no ssl-proxy statement in the class statement under the multi match policy. The servers in the corresponding serverfarm are listening on port 8080, which is not a secure port, so it looks like ACE should be terminating the SSL and passing these connection on the clear text port.
However, we have no documentation for this app, nor the folks who had written it. Is there a way to definitevly determine if the ACE is terminating the SSL or the back-end servers do?
Thanks.
Solved! Go to Solution.
09-11-2014 07:21 AM
Hi,
From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.
You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
09-11-2014 07:21 AM
Hi,
From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.
You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide