Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE LOAD BALANCER - secure tls renegotiation

I have a cisco ace loadbalancer and a server farm behind it.

We have implemented sll-to-ssl termination, but we are facing certain problems with opera browser and android mobiles.

On both we get "The server does not support secure TLS renegoriation...."

Running the following:  openssl s_client -connect aaa.bbb.ccc.ddd:443

On the load balancer we get:

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: xxxxxxxxx

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1323349587

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

On one of the servers from the farm we get:

ew, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID: yyyyyyy

    Session-ID-ctx:

    Master-Key: xxxxxxxx

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1323349689

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

Is there any connection to our problem with this outputs ?

Does anyone have any idea on how to solve this problem ?

Thanks in advance

2 REPLIES
Cisco Employee

ACE LOAD BALANCER - secure tls renegotiation

Hi Thanassis,

TLS renegotiation was disabled in all Cisco devices due to a vulnerability of the protocol. Check

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml for more details

Since the renegotiation was disabled for security reasons, there is no way to enable it back, so you should rather be looking for a way to force your browsers not to require this option to be enabled. I would suggest you to contact the Opera support team.

Regards

Daniel

New Member

ACE LOAD BALANCER - secure tls renegotiation

I am not aware of any Cisco ACE version that supports RFC 5746, unfortunately.

1870
Views
0
Helpful
2
Replies
CreatePlease to create content