Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSLv3 Handshake failure on Cisco ACE (IE)

hi,

I have configured a VIP on the ACE for https and used a self-signed certificate.

Mozilla works perfectly fine however the Internet Explorer returns "Internet Explorer cannot display the webpage".

When I checked via Ethereal, I could notice that following message is shown only for accessing https URL via Internet Explorer and not Mozilla

SSLv3 Alert(Level:Fatal, Description: Handshake Failure)

In short, SSL handshake fails for IE.

Would you know why this happens.

Thanks.

5 REPLIES

Re: SSLv3 Handshake failure on Cisco ACE (IE)

Check this link, hopefully it provides some insight.

http://msdn.microsoft.com/en-us/library/bb250503.aspx

Community Member

Re: SSLv3 Handshake failure on Cisco ACE (IE)

Thanks. I have verified the given points but haven't succeeded. Any other clues..

Are there any ACE related tuning-parameters to resolve this problem because the SSL Handshake Failure (40) is sent back by the ACE to the Client - can be seen in Ethereal.

Please assist.

Silver

Re: SSLv3 Handshake failure on Cisco ACE (IE)

Hi,

I don't fully understand the background but some time ago I saw handshake problems. Setting the ssl close-protocol parameter seems to help:

parameter-map type ssl PARAMMAP_SSL

close-protocol disabled

HTH

Cathy

Community Member

Re: SSLv3 Handshake failure on Cisco ACE (IE)

Hi Cathy,

I tried it but the same results.

I have enabled the debug ssl to dig deeper but it does not give any results. And when I do debug all (test environment) it says debug all is disabled. Would you know how can I enable 'debug all' on ACE. I would like to see every activity through/from the ACE.

SSL Handshake Failure (40) means there is a mismatch of security parameters such as session id, compression method, cryptographic parameters etc. I like to look into those values and understand the difference as opposed to Client Hello. Basically the parameters between Client and Server Hello should be the same. And in my case, instead of getting Server Hello I get the handshake failure.

Have you or anyone ever seen live working example of SSL on Cisco ACE with Internet Explorer.

Thanks.

Silver

Re: SSLv3 Handshake failure on Cisco ACE (IE)

Hi,

Yes, we have SSL termination from IE for many of our systems and it works just fine - with the close-protocol set. In addition I set the acceptable crypto parameters e.g.

parameter-map type ssl PARAMMAP_SSL

cipher RSA_WITH_RC4_128_MD5 priority 2

cipher RSA_WITH_RC4_128_SHA priority 2

cipher RSA_WITH_DES_CBC_SHA priority 3

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3

cipher RSA_EXPORT_WITH_RC4_40_MD5

cipher RSA_EXPORT_WITH_DES40_CBC_SHA

close-protocol disabled

HTH

Cathy

2773
Views
0
Helpful
5
Replies
CreatePlease to create content