Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
4
Replies

SSL Stateful fail-over...some new development

skumar1969
Level 1
Level 1

‎11-12-2006 09:15 PM

I know this has been talked about much on this forum. But this is bit different this time.

We know historically an SSL session can not be statefully failed-over to a CSS or to any device for that matter.

Technically not completely true as there was an unhealthy way of doing this, just by duplicating the rsa/cert pair of one CSS to any number of devices as you like, but it was bit of unethical plus few security related issues that might arise in future like what if a duplicated cert is compromised at one place.

However, Verisign has now(?) started issuing SSL certs meant for multi installations, meaning you can actually/legally duplicate the same rsa key & cert pair across to a failover CSS with in a site. This move has open the doors wherein you can statefullly faiolver an SSL sessions.

I am wondering what Cisco's version on this technical possibility.

thanks

Labels:
0 Helpful
4 Replies 4

vmoopeung
Level 5
Level 5

‎11-17-2006 09:23 AM

To copy SSL certs and key export the certs and keys off then import them to the second CSS.This can be done by the commands copy ssl ftp your-ftp-record export yourcert.pem ?password? and copy ssl ftp your-ftp-record import yourcert.pem ?password?.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-19-2006 01:41 AM

you're understanding is slightly wrong.

You CAN currently replicate cert/key to the standby CSS. This is legal. This not a security issue.

This has to be done manually so.

From an external user point of view, the 2 CSS form a single unit anyway. This is why it is ok to use the same cert on both.

However, that does not mean that failover is stateful. It just guarantees that upon failover, the new active CSS can accept NEW SSL connections. But the active connections will be dropped because the CSS does not have mechanism to continue an encrypted session in the middle.

This is because an SSL session start by negotiating a shared key and other parameters that the standby is not aware of.

So, your new verisign cert does not apply to this case.

Gilles.

0 Helpful

skumar1969
Level 1
Level 1
In response to Gilles Dufour

‎11-19-2006 03:38 PM

Gilles,

Thanks. Understood that it wouldn't be a stateful failover, however will the user notice any session drop-out/hanging because browsers has the capability to renegotiate a new SSL session 'seamlessly'.

Thanks

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to skumar1969

‎11-19-2006 11:23 PM

I believe the user will see that there was an issue. His connection will seem to hang or the browser will display an error message if it receives a RESET from the new active CSS.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents