ACE SSL proxy - firefox but not IE6

Unanswered Question
Sep 13th, 2007
User Badges:


I had worked my way through setting a simple design of two servers, and a http load balance with the ACE across them. I then installed some certificates, and mucked around till I managed to get https frontside, and http backend working. It worked from firefox, and IE6.


I then rebooted the ACE and upgraded the software from A1_2 to A1_5a. Now firefox still works, but IE6 says that it cannot find the server. This is a lie. A packet trace shows it suffering from an SSL handshake failure (40). I'm also seeing now a "malformed Packet SSL", where as before the packet contained certificates.


Does anyone know why IE6 has stopped working? I rolled back to the older code, and the correct behaviour returns. Is there a new option to make IE work with latest ACE code?


Thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Thu, 09/13/2007 - 01:13
User Badges:
  • Cisco Employee,

are you using a certificate or chain group that would have a size bigger than 4k ?

Could we see the sniffer trace when IE fails ?


Thanks,


Gilles.

mike.harlow Thu, 09/13/2007 - 18:48
User Badges:

Ah, 4k issue.


When I use ANM to install the certificates (and keys) (using "terminal" cut-n-paste), the files that appear in the "show crypto files" are TWICE the size of the true certificates. By using crypto export terminal, I can see that the file contains two complete sets of ---BEGIN and ---END lines, and two copies of the key or certificate. Hence when I make a chain of our cert, plus the Verisign intermediate CA, I exceed 4k.


I used the CLI to export the certificate to the screen, deleted the file, then imported from terminal by cut'n'paste, the resulting file was half the size. Did this to both certificates and the private key, and now IE6 and Safari are happy.


I had to use ANM initially to install the certificates, as any changes to the crypto files from the CLI are not reflected in ANM database, even after a refresh of the config from the device. The only way ANM seems to know about certificates is if it puts them there, and it seems to get it wrong.



I now see less certificates in the wireshark packets during the SSL exchange. Why it changed between versions 2 and 5a I dont know. Maybe the older version only sent the first instance in the file. Although looking at the capture, the older version was happy with 4231 bytes of certificates.


Regards.

Gilles Dufour Fri, 09/14/2007 - 02:13
User Badges:
  • Cisco Employee,

the 4k issue was just recently fixed - CSCsk26606.

Not sure why it was working with 1.2 version.


Gilles.

Actions

This Discussion