09-13-2007 12:53 AM
I had worked my way through setting a simple design of two servers, and a http load balance with the ACE across them. I then installed some certificates, and mucked around till I managed to get https frontside, and http backend working. It worked from firefox, and IE6.
I then rebooted the ACE and upgraded the software from A1_2 to A1_5a. Now firefox still works, but IE6 says that it cannot find the server. This is a lie. A packet trace shows it suffering from an SSL handshake failure (40). I'm also seeing now a "malformed Packet SSL", where as before the packet contained certificates.
Does anyone know why IE6 has stopped working? I rolled back to the older code, and the correct behaviour returns. Is there a new option to make IE work with latest ACE code?
Thanks.
09-13-2007 01:13 AM
are you using a certificate or chain group that would have a size bigger than 4k ?
Could we see the sniffer trace when IE fails ?
Thanks,
Gilles.
09-13-2007 06:48 PM
Ah, 4k issue.
When I use ANM to install the certificates (and keys) (using "terminal" cut-n-paste), the files that appear in the "show crypto files" are TWICE the size of the true certificates. By using crypto export terminal, I can see that the file contains two complete sets of ---BEGIN and ---END lines, and two copies of the key or certificate. Hence when I make a chain of our cert, plus the Verisign intermediate CA, I exceed 4k.
I used the CLI to export the certificate to the screen, deleted the file, then imported from terminal by cut'n'paste, the resulting file was half the size. Did this to both certificates and the private key, and now IE6 and Safari are happy.
I had to use ANM initially to install the certificates, as any changes to the crypto files from the CLI are not reflected in ANM database, even after a refresh of the config from the device. The only way ANM seems to know about certificates is if it puts them there, and it seems to get it wrong.
I now see less certificates in the wireshark packets during the SSL exchange. Why it changed between versions 2 and 5a I dont know. Maybe the older version only sent the first instance in the file. Although looking at the capture, the older version was happy with 4231 bytes of certificates.
Regards.
09-14-2007 02:13 AM
the 4k issue was just recently fixed - CSCsk26606.
Not sure why it was working with 1.2 version.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: