Can't get SSL working on CSS but my configuration looks good

mreed · ‎01-16-2008

I'll post the relevant part of the config below. For testing I've made a self signed cert. The VIP address is 10.10.15.84 and the server address is 10.10.12.84. I can connect fine going to the VIP address on http but when I try https nothing comes up. I can see activity doing a show ssl statistics.

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list povssl_proxylist

ssl-server 20

ssl-server 20 rsacert povsslcert

ssl-server 20 rsakey povcert

ssl-server 20 vip address 10.10.15.84

ssl-server 20 cipher rsa-export-with-rc4-40-md5 10.10.15.84 80

active

service POV01

ip address 10.10.12.84

port 80

active

service ssl_pov

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list povssl_proxylist

active

owner POV

content POV

vip address 10.10.15.84

protocol tcp

port 443

add service ssl_pov

application ssl

active

content POV80

protocol tcp

vip address 10.10.15.84

add service POV01

port 80

active

group POV

add destination service POV01

vip address 10.10.15.84

active

Gilles Dufour · ‎01-17-2008

get a sniffer trace on the client and capture a 'show tech' before and after the trace on the CSS.

Send me everything at gdufour@ciso.com.

Gilles.

mreed · ‎01-17-2008

I currently don't have any trace applications in this data center I'm working on getting ethereal loaded down there.

Also the CSS11501 does not seem to have the show tech command. That one I didn't expect.

Gilles Dufour · ‎01-17-2008

the command is : "script play showtech"

Gilles Dufour · ‎01-17-2008

Can you get a 'show summary' before and after sending an https connection.

That would also give us info on which rules are being hits.

Gilles.

mreed · ‎01-17-2008

I'll have the show tech for you shortly.

For Show Summary POV I have:

Owner Content Rules State Services Service Hits

POV POV Active ssl_pov 1078

POV80 Active POV01 1371

When I hit the site with http I get two hits on POV80, when I hit the site with https I get one hit on POV and one hit on POV80.

mreed · ‎01-17-2008

I'm attaching two traces, one is a trace from the server showing it relevant traffic to a http request going through the load balancer and one with an https request. With the https request it appears that it is not starting with the HTTP request. The server requires the /client and this is never getting there.

mreed · ‎01-18-2008

For anyone watching this was resolved. The issue here was the self signed certificate. It didn't work and didn't give any error in IE. When trying it in Firefox it gave a very clear error. I loaded a Verisign trial cert and everything is working great.