Re: SSL cert size issue

marco.becu · ‎11-09-2010

Hi all,

herei is my conf/version :

Software
loader: Version 12.2[123]
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_2.bin
installed license: no feature license is installed

crypto chaingroup myurl.chain
cert myurl.chain

ssl-proxy service MYURL
key myurl.key
cert myurl.cert
chaingroup myurl.chain

----

yesterday :

# sh crypto files
Filename                                 File File    Expor      Key/
                                          Size Type    table      Cert
-----------------------------------------------------------------------
myurl.cert                             16346 PEM     Yes        CERT
myurl.key                              1679 PEM     Yes         KEY
myurl.chain                           4972 PEM     Yes        CERT

$ curl https://myurl.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

--

today, no problem with curl :

# sh crypto files
Filename                                 File File    Expor      Key/
                                          Size Type    table      Cert
-----------------------------------------------------------------------
myurl.cert                             16253 PEM     Yes        CERT
myurl.key                              1675 PEM     Yes         KEY
myurl.chain                           4972 PEM     Yes        CERT

Is there an issue with cert or key size ?

Gilles Dufour · ‎11-09-2010

did you reload the box ?

Or remove and upload the cert/key again ?

They could have been corrupted previously.

Always check with "crypto verify" that key and cert are ok after being loaded.

Gilles.

marco.becu · ‎11-09-2010

i can't reload the box as i want :/

i removed and uploaded again and again but i still had the problem

crypto verify show no problem

i have a new cert every day so i will see next day if it depends on size ...

Gilles Dufour · ‎11-10-2010

Sorry, the question was "how did you fix it the first time ?"

Or are you talking about different devices ?

Also, be aware that ACE loads your key/cert in memory and stops using the one in flash.

Even if you modify the files in flash, that does not mean ACE update the info it has in memory.

So if the files got corrupted and you upload new ones using the same name, it is possible that ACE kept using the old ones it has in memory.

I usually recommend to use different names and update the ssl-proxy config with the new names in order to force to reload the new info.

Or remove completely the ssl-proxy config, upload new files and reconfigure the proxy.

Gilles.

marco.becu · ‎11-15-2010

the first time. i got another cert from my dealer that fix the problem.

but since this, i got another one and i got the problem back.

moreover, now, i had to remove chain otherwise i got connection RST when i visit my ssl web site ...

very very strange. i had ten others ssl cert with same conf without any problem at all.

the only difference i see is about cert size.

Gilles Dufour · ‎11-15-2010

Ok.

You have a problem with the cert.

But the size can't be used to determine if there is a problem or what the problem could be.

Gilles.

marco.becu · ‎11-15-2010

i will make some test on another context with the same cert/key/chain with logging debug.

tx for your help

marco.becu · ‎11-15-2010

i made some mistake in my test.

i erase my firefox profile and in fact :

without chain : i got a warning. i have to make an exception.

with chain : the connection is reset by ace.

the chain is used on others ssl-proxy service with differents cert/key without any problem.

marco.becu · ‎11-15-2010

something that can help :

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/ssl/guide/overview.html#wp1004722

Maximum size of a certificate file => 8192 bytes

marco.becu · ‎11-16-2010

i made some capture :

10:56:43.888969 x:x:x:x:x:x y:y:y:y:y:y 0800 58: X.X.X.X.443 > Y.Y.Y.Y.40819: S [bad tcp cksum 5f96!] 3053947049:3053947049(0) ack 4213357574 win 32768 (ttl 255, id 41667, len 44, bad cksum 6578!)

10:56:43.892972 y:y:y:y:y:y x:x:x:x:x:x 0800 60: Y.Y.Y.Y.40819 > X.X.X.X.443: . [tcp sum ok] ack 1 win 5840 (DF) (ttl 58, id 264, len 40)

10:56:43.893130 x:x:x:x:x:x y:y:y:y:y:y 0800 54: X.X.X.X.443 > Y.Y.Y.Y.40819: R [bad tcp cksum 774f!] 1:1(0) ack 1 win 32768 (ttl 255, id 41712, len 40, bad cksum 6556!)

nothing is forwarded to rserver

marco.becu · ‎11-17-2010

today i got no warning and no rst : cert size = 16245

ntman4real · ‎11-17-2010

Hey guys, not sure if this is revlevant but we had a VERY similiar situation as noted above and what it turned out to be w

as an incorrect MTU setting on the router. Like I said not sure if it is relevant but does sound simil

ar. I apologize in advance if this isn't pertaining to the same issue. Thanks.