CSS SSL terminiation in transparent mode

Unanswered Question
Jan 22nd, 2008

Is it possible if I have one IP address on my CSS and I would like to enable the SSL termination service? I seem not work. Is it a configuration problem or SW limitation?

This is my CSS configuration.

==============================

ABC-CSS01# sh run

!Generated on 01/22/2008 10:36:42

!Active version: sg0750205

configure

!*************************** GLOBAL ***************************

no restrict web-mgmt

logging buffer 64000

ssl associate rsakey myrsakey1 myrsakey.pem

ssl associate cert mychainedrsacert1 myrsakey2.cer

ssl associate dhparam 1 dahshing_dh.pem

ip route 0.0.0.0 0.0.0.0 172.27.2.1 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address 172.27.2.9 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl-list

ssl-server 20

ssl-server 20 vip address 172.27.2.8

ssl-server 20 cipher rsa-with-des-cbc-sha 172.27.2.53 80

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 172.27.2.53 80

ssl-server 20 cipher rsa-with-rc4-128-sha 172.27.2.53 80

ssl-server 20 cipher rsa-with-rc4-128-md5 172.27.2.53 80

ssl-server 20 rsacert mychainedrsacert1

ssl-server 20 rsakey myrsakey1

active

!************************** SERVICE **************************

service uatsec1

protocol tcp

ip address 172.27.2.53

keepalive type tcp

port 80

active

service www

type ssl-accel

add ssl-proxy-list ssl-list

keepalive type none

slot 2

active

!**************************** EQL ****************************

eql Cacheable

description "This EQL contains extensions of cacheable content"

extension pdf "Acrobat"

extension fdf "Acrobat Forms Document"

extension au "Sound audio/basic"

extension bmp "Bitmap Image"

extension z "Compressed data application/x-compress"

extension gif "GIF Image image/gif"

extension html "Hypertext Markup Language text/html"

extension htm

extension js "Java script application/x-javascript"

extension mocha

extension jpeg "JPEG image image/jpeg"

extension jpg

extension jpe

extension jfif

extension pjpeg

extension pjp

extension mp2 "MPEG Audio audio/x-mpeg"

extension mpa

extension abs

extension mpeg "MPEG Video video/mpeg"

extension mpg

extension mpe

extension mpv

extension vbs

extension m1v

extension pcx "PCX Image"

extension txt "Plain text text/plain"

extension text

extension mov "QuickTime video/quicktime"

extension tiff "TIFF Image image/tiff"

extension tar "Unix Tape Archive application/x-tar"

extension avi "Video for Windows video/x-msvideo"

extension wav "Wave File audio/x-wav"

extension gz "application/x-gzip"

extension zip "ZIP file application/x-zip-compressed"

!*************************** OWNER ***************************

owner ssl_owner

content ssl

port 443

vip address 172.27.2.8

protocol tcp

application ssl

add service www

active

==================================

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Vargas Tue, 01/22/2008 - 07:03

Hi,

I do not really understand what you mean with "Is it possible if I have one IP address on my CSS and I would like to enable the SSL termination service? "

However you are missing the clear text content rule configuration and the ssl-server cipher should not be pointing to the server IP but the clear text rule, like this

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl-list

ssl-server 20

ssl-server 20 vip address 172.27.2.8

ssl-server 20 cipher rsa-with-des-cbc-sha 172.27.2.8 80

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 172.27.2.8 80

ssl-server 20 cipher rsa-with-rc4-128-sha 172.27.2.8 80

ssl-server 20 cipher rsa-with-rc4-128-md5 172.27.2.8 80

ssl-server 20 rsacert mychainedrsacert1

ssl-server 20 rsakey myrsakey1

active

owner ssl_owner

content clear_text

port 80

vip address 172.27.2.8

protocol tcp

add service uatsec1

active

content ssl

port 443

vip address 172.27.2.8

protocol tcp

application ssl

add service www

active

service uatsec1

protocol tcp

ip address 172.27.2.53

keepalive type tcp

port 80

active

service www

type ssl-accel

add ssl-proxy-list ssl-list

keepalive type none

slot 2

active

Hope it helps!!

lamadam Tue, 01/22/2008 - 23:36

I have tried the url: https://172.27.2.8/testing/Login.jsp

The page cannot be showed.

I logged the follwing logging:

DSB-CSS01# sh service summary

Service Name State Conn Weight Avg State

Load Transitions

uatsec1 Alive 0 1 2 0

www Alive 0 1 2 0

DSB-CSS01# sh summary

Global Bypass Counters:

No Rule Bypass Count: 13

Acl Bypass Count: 0

Owner Content Rules State Services Service Hits

ssl_owner ssl Active www 11

clear_text Active uatsec1 6

I can see all SSL termination example are seperate 2 vlan. One IP for CSS out and another for server side.

Gilles Dufour Wed, 01/23/2008 - 02:31

you can do this in one-armed mode - 1 vlan for client and server traffic.

However, you need to guarantee that the server response will go back to the CSS.

In one-armed mode, if the CSS is the not the default gateway, the server responses go directly to the client which does not accept because not coming from the vip.

Also, what was suggested is to create a content rule on your css for plain http traffic.

Like this, you can easily test if http is working and determine if this is a general issue or an ssl only issue.

Once you have the content rule for http configured, you also need to modify your ssl-proy-list to send decrypted traffic to this http content rule instead of directly to the server.

Again this helps for troubleshooting and will give the possibility to perform special action on the decrypted traffic if needed later on (ie: cookie stickyness).

Regards,

Gilles.

Actions

This Discussion