HTTP works fine but SSL has issues.

Unanswered Question
Feb 8th, 2008
User Badges:

Hello.

I have a rather simple configuration which works fine for HTTP but with SSL is a different matter.

It's a 11501 one-armed running version sg0810106.


The thing is pretty much like this.

For HTTP:

Starts browsing and after the NTLM authentication the first of two pages shows up and moments later a second one follows with the main page. The first page only welcomes you and states "session initiated".

For SSL:

It starts the same way but shows the message "both secure and non-secure content" before opening the second window and no SSL is used at that time. Even though no encryption is taking place the page won't finish downloading. It keeps shown a progress indicator that won't go away. After a while a message says there was a connection problem.

Strangely the top of the window says "https://...." but no padlock is shown.


So far I've tried the following.

- With other web site running a simple IIS with directory browsing everything went ok. Walking in and out the whole tree and downloading files worked perfectly with SSL.

- Making the minimum changes to the configuration I pointed the SSL to only one service to make sure the second window (after the authentication) was not balanced to a second server.


Any ideas?


Thanks a lot!

Guido




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 02/08/2008 - 06:04
User Badges:
  • Cisco Employee,

Guido,


your server is most probably sending a redirect to http.

You need to configure url-rewrite to intercept the redirect and rewrite it to https.


the command is 'ssl-server 10 urlrewrite " target="_blank">www.cisco.com> '


If that does not work, will need a trace of the server side traffic when it works and when it does not.


Gilles.

David Coupez Tue, 02/12/2008 - 08:04
User Badges:

You also may have a hard link in your code pointing directly to an http link. In other words, your site partially bypass your ssl module. Maybe you can highlight it by creating new services and content rule where you will redirect your decrypted flows. I mean for example :


content WebSphere-test

advanced-balance sticky-srcip

vip address 10.241.100.1

add service newserv1

add service newserv2

protocol tcp

port 50000

sticky-inact-timeout 180

active


ssl-server 10 cipher rsa-with-3des-ede-cbc-sha 10.241.100.1 50000 weight 5

ssl-server 10 cipher rsa-with-rc4-128-md5 10.241.100.1 50000 weight 3

ssl-server 10 cipher rsa-with-rc4-128-sha 10.241.100.1 50000 weight 4


When connecting through SSL, you should not see "normal" services counters increase.


That's just an idea...


David

ggalteroo Fri, 02/15/2008 - 18:22
User Badges:

Hello

Thank you both for your advice.

I tried both approaches but I had no luck. First I wrote a few rules to rewrite whatever redirect there could have been but no one was detected.

After a while, by chance I ended up getting a message stating too many sessions were open and that was a redirect which I was able to keep inside the tunnel following Gilles' instructions.

I kept trying to find a redirect but I couldn't so David's idea was next.

According to what I could see from a capture, I wrote a few content rules and redirect services on an attempt to match any of the URLs that were there but again very little changed.

I keep seeing a "secure and no secure content" message instants after the second window opens up. Could then the redirect be inside the flash code? Is there anything that can be done to overcome it?

In general terms can Flash be load-balanced?

If you have a moment to go over the capture, I'd be very grateful.

Remember this is a one-armed scenario so the site is accessible either through the CSS or directly to the server. Both direct HTTP (port 9081) and CSS-based SSL traces are attached.


Thanks a lot

Guido




Gilles Dufour Sun, 02/17/2008 - 04:48
User Badges:
  • Cisco Employee,

Guido,


the object that appears in cleartext is


"/bantotal/servlet/com.dlya.bantotal.afrgetusrmnucode "


And we can see a referer that is :


Referer: http://10.239.101.111:9081/bantotal/servlet/realIndex.html


This object was also requested by the client but it received a 304 not modified from the server.

So we do not see the content of the object.


I would suggest to clear the cache of your browser, and then re-do the same test.

SSL and cleartext capture.

Try to capture front-end and backend at the same time.

Since this is one-armed it should be easy.

It will allow us to see the response from the server in clear, before it gets encrypted.


Gilles.

ggalteroo Mon, 02/18/2008 - 10:32
User Badges:

Gilles

Thanks for your support.

I see. I missed the redirect but... I keep thinking that the rules I wrote should have recognized the string and taken action upon it.

Anyhow I was able to list every object that gives form to the site and made a list out of them. Is it right to assume that a few rules that match a string, common to each object, would solve this? For instance “ssl-server 10 urlrewrite 1 */bantotal/*” and to be on the safe side “ssl-server 10 urlrewrite 2 */bantotal/* sslport port 443 clearport 9081”.

On the other hand I'm going to do what you suggested though I'm not sure what you meant with "front-end and backend at the same time". Did you think 2 PCs one to sniff while requesting HTTPS and the second one sniffing the back-end side of the conversation?


Thanks a lot and please stay tuned :)

Guido




Attachment: 
Gilles Dufour Tue, 02/19/2008 - 01:36
User Badges:
  • Cisco Employee,

Guido,


your problem is the client browser reporting that you are changing to a non-secure page.

There are only 2 possible reasons for that.

1 - the server sent a redirect to a cleartext page

2 - the content of a page has a hard coded link pointing to a cleartext page.


The first problem can be solved with a url-rewrite.


The 2nd problem can only be solved by fixing the server.


So, to identify which problem we are facing, we need to see at the same time the traffic between client and loadbalancer and the traffic between loadbalancer and server.

Since you are in one-armed mode, all traffic goes in and out a single interface.

So, you can span/monitor that interface using a 2nd pc, while the first pc is the client browsing the site.


In the trace, we should see the HTTPS traffic from the client and the HTTP traffic from the server.


Hoep this makes sense like this.


Gilles.

ggalteroo Wed, 02/20/2008 - 12:33
User Badges:

Gilles

Thanks. It made sense.

I made a capture the way you said. No filters to be sure nothing was left out so a display filter may be required.

So far the only 302 redirect I found was on packet 845.

Would you look at it?


Client: 10.1.1.140

VIP: 10.241.100.4

Server: 10.239.101.112


Thanks a lot.

Guido




Attachment: 

Actions

This Discussion