12-10-2008 07:35 AM
hi,
I have configured a VIP on the ACE for https and used a self-signed certificate.
Mozilla works perfectly fine however the Internet Explorer returns "Internet Explorer cannot display the webpage".
When I checked via Ethereal, I could notice that following message is shown only for accessing https URL via Internet Explorer and not Mozilla
SSLv3 Alert(Level:Fatal, Description: Handshake Failure)
In short, SSL handshake fails for IE.
Would you know why this happens.
Thanks.
12-10-2008 10:15 AM
Check this link, hopefully it provides some insight.
12-10-2008 09:23 PM
Thanks. I have verified the given points but haven't succeeded. Any other clues..
Are there any ACE related tuning-parameters to resolve this problem because the SSL Handshake Failure (40) is sent back by the ACE to the Client - can be seen in Ethereal.
Please assist.
12-12-2008 01:53 AM
Hi,
I don't fully understand the background but some time ago I saw handshake problems. Setting the ssl close-protocol parameter seems to help:
parameter-map type ssl PARAMMAP_SSL
close-protocol disabled
HTH
Cathy
12-12-2008 02:57 AM
Hi Cathy,
I tried it but the same results.
I have enabled the debug ssl to dig deeper but it does not give any results. And when I do debug all (test environment) it says debug all is disabled. Would you know how can I enable 'debug all' on ACE. I would like to see every activity through/from the ACE.
SSL Handshake Failure (40) means there is a mismatch of security parameters such as session id, compression method, cryptographic parameters etc. I like to look into those values and understand the difference as opposed to Client Hello. Basically the parameters between Client and Server Hello should be the same. And in my case, instead of getting Server Hello I get the handshake failure.
Have you or anyone ever seen live working example of SSL on Cisco ACE with Internet Explorer.
Thanks.
12-12-2008 03:03 AM
Hi,
Yes, we have SSL termination from IE for many of our systems and it works just fine - with the close-protocol set. In addition I set the acceptable crypto parameters e.g.
parameter-map type ssl PARAMMAP_SSL
cipher RSA_WITH_RC4_128_MD5 priority 2
cipher RSA_WITH_RC4_128_SHA priority 2
cipher RSA_WITH_DES_CBC_SHA priority 3
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3
cipher RSA_EXPORT_WITH_RC4_40_MD5
cipher RSA_EXPORT_WITH_DES40_CBC_SHA
close-protocol disabled
HTH
Cathy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide