cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
605
Views
5
Helpful
3
Replies

ACE SSL proxy - firefox but not IE6

mike.harlow
Level 1
Level 1

I had worked my way through setting a simple design of two servers, and a http load balance with the ACE across them. I then installed some certificates, and mucked around till I managed to get https frontside, and http backend working. It worked from firefox, and IE6.

I then rebooted the ACE and upgraded the software from A1_2 to A1_5a. Now firefox still works, but IE6 says that it cannot find the server. This is a lie. A packet trace shows it suffering from an SSL handshake failure (40). I'm also seeing now a "malformed Packet SSL", where as before the packet contained certificates.

Does anyone know why IE6 has stopped working? I rolled back to the older code, and the correct behaviour returns. Is there a new option to make IE work with latest ACE code?

Thanks.

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

are you using a certificate or chain group that would have a size bigger than 4k ?

Could we see the sniffer trace when IE fails ?

Thanks,

Gilles.

Ah, 4k issue.

When I use ANM to install the certificates (and keys) (using "terminal" cut-n-paste), the files that appear in the "show crypto files" are TWICE the size of the true certificates. By using crypto export terminal, I can see that the file contains two complete sets of ---BEGIN and ---END lines, and two copies of the key or certificate. Hence when I make a chain of our cert, plus the Verisign intermediate CA, I exceed 4k.

I used the CLI to export the certificate to the screen, deleted the file, then imported from terminal by cut'n'paste, the resulting file was half the size. Did this to both certificates and the private key, and now IE6 and Safari are happy.

I had to use ANM initially to install the certificates, as any changes to the crypto files from the CLI are not reflected in ANM database, even after a refresh of the config from the device. The only way ANM seems to know about certificates is if it puts them there, and it seems to get it wrong.

I now see less certificates in the wireshark packets during the SSL exchange. Why it changed between versions 2 and 5a I dont know. Maybe the older version only sent the first instance in the file. Although looking at the capture, the older version was happy with 4231 bytes of certificates.

Regards.

the 4k issue was just recently fixed - CSCsk26606.

Not sure why it was working with 1.2 version.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: