cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3539
Views
0
Helpful
5
Replies

SSLv3 Handshake failure on Cisco ACE (IE)

new_networker
Level 1
Level 1

hi,

I have configured a VIP on the ACE for https and used a self-signed certificate.

Mozilla works perfectly fine however the Internet Explorer returns "Internet Explorer cannot display the webpage".

When I checked via Ethereal, I could notice that following message is shown only for accessing https URL via Internet Explorer and not Mozilla

SSLv3 Alert(Level:Fatal, Description: Handshake Failure)

In short, SSL handshake fails for IE.

Would you know why this happens.

Thanks.

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Check this link, hopefully it provides some insight.

http://msdn.microsoft.com/en-us/library/bb250503.aspx

Thanks. I have verified the given points but haven't succeeded. Any other clues..

Are there any ACE related tuning-parameters to resolve this problem because the SSL Handshake Failure (40) is sent back by the ACE to the Client - can be seen in Ethereal.

Please assist.

Hi,

I don't fully understand the background but some time ago I saw handshake problems. Setting the ssl close-protocol parameter seems to help:

parameter-map type ssl PARAMMAP_SSL

close-protocol disabled

HTH

Cathy

Hi Cathy,

I tried it but the same results.

I have enabled the debug ssl to dig deeper but it does not give any results. And when I do debug all (test environment) it says debug all is disabled. Would you know how can I enable 'debug all' on ACE. I would like to see every activity through/from the ACE.

SSL Handshake Failure (40) means there is a mismatch of security parameters such as session id, compression method, cryptographic parameters etc. I like to look into those values and understand the difference as opposed to Client Hello. Basically the parameters between Client and Server Hello should be the same. And in my case, instead of getting Server Hello I get the handshake failure.

Have you or anyone ever seen live working example of SSL on Cisco ACE with Internet Explorer.

Thanks.

Hi,

Yes, we have SSL termination from IE for many of our systems and it works just fine - with the close-protocol set. In addition I set the acceptable crypto parameters e.g.

parameter-map type ssl PARAMMAP_SSL

cipher RSA_WITH_RC4_128_MD5 priority 2

cipher RSA_WITH_RC4_128_SHA priority 2

cipher RSA_WITH_DES_CBC_SHA priority 3

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3

cipher RSA_EXPORT_WITH_RC4_40_MD5

cipher RSA_EXPORT_WITH_DES40_CBC_SHA

close-protocol disabled

HTH

Cathy

Review Cisco Networking for a $25 gift card