10-04-2007 09:04 AM
Hi,
I'm having a problem with configuring end-to-end SSL as documented in Section 5 of the ACE SSL guide.
Without the ssl-proxy definition it "works" in the sense that the response is HTTPS format from either of the real servers.
If I add
ssl-proxy server PSERVICE_SERVER into
policy-map multi-match LB-VIP
class VIP-CATHY-https
loadbalance vip inservice
loadbalance policy VIP-LB-CATHY-https
then it fails and a wireshark trace shows a Handshake Failure - but no helpful details.
What I'm trying to do is terminate and re-initiate the SSL traffic to the two real servers.
Am I missing something obvious? The configuration of my Test context is attached.
Kind Regards
Cathy
10-10-2007 11:38 AM
Check this bug information :CSCsg04254
10-10-2007 10:28 PM
Thank you.
I don't have access to the bug database - so if you could copy it to here that would be helpful.
I think I've got a config that works. I hadn't grasped the necessity for a layer 7 policy to make it work. Also I needed to set the close-protocol in the SSL parameters to be none rather than strict (default).
Kind Regards
Cathy
10-11-2007 01:29 AM
Cathy, are you using IE ??
If yes, could you try another brother like mozilla.
Are you using certificate group ?
Is the total size bigger than 4k ?
Gilles.
10-11-2007 03:25 AM
I was using IE. By chance I saw another query on here that mentioned the close-protocol option.
I don't think the chaingroup exceeded 4K - but it was probably borderline. I took out the server certificate and just left in the 3 GlobalSign certificates. I couldn't see the point of including it in the chain as well as in the server definition.
I think I have it working - it was just a lot more complicated than I thought it would be. It would be useful if the manual had an example of an end-to-end configuration rather than just referring to Ch4 and Ch3.
Thank you for your help.
Kind Regards
Cathy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: