CSS SSL blade

Similar Messages

• CSS/SSL termination - cypher negotiation Q

  Hi everyone
  question regarding SSL termination on CSS/SSL module.
  I have several several cyphers in my ssl-proxy list,
  What is the algorithm to choose the cypher ?
  I may assume that CSS and browser negotiate it during SSL session establishing.
  The testing shows that same browser gets different cyphers when it hits
  different CSSs (cyphers are in the same order in proxy-lists on CSSs)
  Thanks
  Alex

  Alex,
  it's not really an algorithm.
  The browser selects the first cipher that matches its requirements in the list presented by the server/CSS.
  The CSS builds a list in the order of weight.
  If you did not specify any weight, the list can be random depending in which order you entered the command.
  I would say, if you want a specific cipher to be selected, use a highest weight for this cipher.
  Gilles.

• How many CSS SSL certificates needed?

  From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.

  A quick (I hope) follow-up question on this...
  Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:
  ssl associate rsakey prodkey prodkey.pem
  ssl associate cert prodcert prodcert.pem
  ssl associate dhparam proddh proddh.pem
  ssl associate rsakey intkey intkey.pem
  ssl associate cert intcert intcert.pem
  ssl associate dhparam intdh intdh.pem

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.

• CSS SSL renewal problem

  While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
  sh ssl associate rsakey | grep url(dont want to mention name)
  i can see the previous as well as the new both key as associated and says yes
  while the new should show yes and old should be no
  same it is showing for cert
  can anyone help me to sort out with this problem what it can be
  Thanks in advance

  Sagar,
  Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
  After that, perform the "clear ssl file " and "clear ssl file rsakey "
  HTH
  Dave

• CSS + SSL - unable to create RSA association

  Hello,
  I am having troubles creating an RSA association on our CSS11506.
  Here are the steps I've tried:
  1.) I take the original "Digital ID Class 3 - VeriSign Server OnSite" certificate provided to us and move to the CSS via FTP. I have used the openssl verify process to make sure it was a good cert.
  CSS-EC1# copy ssl ftp FTPSRV import websrv-gr.pem PEM "thepassword"
  Connecting (/)
  Completed successfully.
  (also at this step - I have tried this with and without a passphrase with the same results)
  OpenSSL verify:
  C:\OpenSSL\bin>openssl verify -verbose -CAfile .\PEM\verisign.pem websrv-gr.pem
  websrv-gr.pem: OK
  2.) I then create a certificate association:
  CSS-EC1(config)# ssl associate cert WWW websrv-gr.pem
  3.) I then attempt to create and RSA association:
  CSS-EC1(config)# ssl associate rsakey WWW-RSA websrv-gr.pem
  %% File does not contain an RSA key
  What can I do to get rid of this error? Does the certificate we recieved from Verisign need to be chained with the Verisign Intermediate certificate?
  Any ideas?
  Thanks in advance...
  Regards,
  Ben

  Hi
  we have a customer with a similar problem,
  CSS11501(config)# ssl associate rsakey vimageprivkey privkeyvimages.pem
  Error: %% File does not contain an RSA key
  The openssl utility has been used to extract the rsakey from the PKCS12 file.
  They have used this method numerous times before without this error.
  RSA key below:-
  Bag Attributes
  localKeyID: 31 31 36 33 30 38 34 35 35 32 32 33 30
  friendlyName: vimages 2006 certificate
  Key Attributes:
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,4B31C6E8188C1E2C
  L2zTgx4mEUBG0465IxpNOfeyoMX8vTXF6TTrClc5BCDqEYa+K8/9yu6ZwQ+GKdV2
  WN0NES4mNMyqB+j2K9ysQi59Zw661MSf/ToTLPgbFlI7xK434ZpMiy6K0VIK8cSW
  Nz8yTSbjarpsrigUYzoJ83p10a6vVXA/dEDGrMn84EQeYWjQdStcHU8DKmgaOMLY
  c3s68BHex2oNOdG4P4Uo4lTG1zmQOyP0aY7KHv0KNVrR/RNSW4j01nAdPZ09YiiZ
  Uu83Kvh/kwkGBhGYAr0vnlqPlsdUarfXams39F/Imp3NQdofXsrVencUjST4zjPK
  1xpptY2RYa4lCEZBF5+Y00QhxaQR8IuLkh0x2niR/Nz+KBHxOJ8hacB/bcIpZKv0
  ikFDiXoGLgRNCRM1qhECyfUk4Gt95J4qKSAsyUNOTjhaz73q+sUPu6eLffwUQ1U2
  g6fNcqAu6z5xJkpPjVtGVt+opERqGrnlCW2R6I1QYio+U21p4Cx+7qfxrGGpZtt+
  p0kYhEH9ZMODh8QhDEDv7qqLASQ5aQMcJSLIXCrV13R+yN/qr8qOUDKA88a9avIg
  cArcSEWSQ91ZxYYIijnqMHNBWs1REM6U/FRuW28yM4JtZTyxB8baZUVczAfOnOja
  yAuJ0UVyshNOZxk5W1OJTjrkqY7+JM0CdnJuYUSqvsQb9L3hiAJ/wHzUQw5pN1J3
  Igoo6eLoBj2QC2Fgz1TwJEohelF3F+BVlEvjWjPHi5D0r2e1+HDNNjpWWZctebp7
  Aw7kguV1bymfiG3stoHkP/VU2MyCznS6vXI/PWh4KgI=
  -----END RSA PRIVATE KEY-----
  Any Ideas ??

• CSS SSL and link modification problem

  Hi all
  We have a problem using our CSS to offload SSL for a site. The offload works for the first connection, but the web application seems to be rewriting relative links as absolute links.
  For example, a user hits the site at https://www.mydomain.com. The CSS is configured to terminate the SSL traffic, and then send HTTP to the internal web server on TCP/81.
  What we're seeing in the client's browser is that all links are being returned as http://www.mydomain.com:81/... instead of https://www.mydomain.com/...
  Any idea of how we can do this without messing around with the web server too much? I.e. is there a way on the CSS to do link translation?
  Thanks

  If the link are indeed hardcoded like this, there is nothing the CSS can do.
  Bad server design.
  If the server is returning a redirect to http://... the CSS can intercept it and rewrite it to https.
  Please verify if there is a redirect.
  Gilles.

• CSS SSL

  I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.
  Thanks!

  As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?
  The group rule will SNAT all client requests to appear as the 192.168.20.4 VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.
  - Jason

• CSS - SSL Certificates

  We have two 11503's each with an SSL module, in a redundant VIP configuration. Can we load the same certificate on both CSS's? Or must we obtain a separate certificate?
  Thanks!

  you can use the same certificate in both CSS.
  Gilles.

• CSS - SSL Stickiness

  Gilles,
  Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
  Note:- I am not using SSL Module in the CSS.
  Thanks in advance...

  There are two issues
  Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
  cause the client to change its SSL ID every 2 minutes and this will break
  stickyness with application ssl and advanced balance SSL as this is layer 5
  stickyness based on SSL session ID. A sniffer trace from the client will
  show the ID field change.
  You have to be aware that SSL stickiness will only work with SSL v3,
  because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
  based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
  Hope it helps
  Syed Iftekhar Ahmed

• CSS SSL Certificate Upgrade

  Hello,
  I need to install an SSL certificate on my CSS but have no access to an FTP/SFTP server.
  Can the import be accomplished via the console or some other means?
  Thanks,
  -Adam

  Gilles,
  We actually have an FTP server... it's just that the CSS is inside a DMZ and we are having some issues right now... so just wanted to know if it was possible to get the cert/key files to the CSS by some other means.
  Time to fire-up the FileZilla FTP server and hit the management port!
  Thanks,
  -Adam

• CSS+SSL Failover

  If I have two CSS with SSL module in an ASR config, in case the master CSS fails, will the redundant CSS chassis take over the SSL sessions as well, without the client having to reconnect?
  Thx,
  Christos

  we can save TCP connections but not the ssl info.
  So after failover, the traffic will be sent to the new active SSL module which will send a RESET to the client.
  The client will normally restart the connection.
  If you lose the backend server, the CSS does nothing.
  If the client is sending traffic, the SSL module will forward it to the dead server and if we don't get a response during the timeout period the SSL module will reset the connection.
  If a new connection is open it will be sent to another active server if one is available.
  Regards,
  Gilles.

• CSS SSL L5 balancing

  Hello
  I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
  my config is
  service iis1
  ip address 10.0.0.1
  active
  service iis2
  ip address 10.0.0.2
  active
  service tomcat1
  ip address 10.0.0.3
  active
  service tomcat2
  ip address 10.0.0.4
  active
  owner test
  content iis
  vip address 10.1.1.1
  url "/aspx/*"
  advanced-balance arrowpoint-cookie
  add service iis1
  add service iis2
  protocol tcp
  port 80
  active
  content iis_ssl
  vip address 10.1.1.1
  url "/aspx/*"
  advanced-balance ssl
  application ssl
  add service iis1
  add service iis2
  protocol tcp
  port 443
  active
  Thanks in advance
  Justin

  Thanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?

• CSS SSL and client certificate

  Hello,
  In a situation where SSL Traffic is terminated on a SSL Module.
  And having clients which to clientcertification.
  There are 2 contents aviable on the webserver.
  One for certified users and one for both.
  Is there a way to restrict a path of a url to clients which performed a client cert?
  And have all other content on that server aviable to both , certified and not certified clients?
  Sven

  Hi Gilles,
  i have not described my problem at all.
  Currently we are doing the SSL Termination on a webserver.
  There are two locations specified in the apache config.
  Like this:
  location /webservices/onlytoca>
  SSLVerifyClient require
  SSLVeridfyDepth 0
  So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
  The /content is allowed to all.
  I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
  My question was, is there a way to restrict a url path to clients which did a client certification.
  I can set up the ssl-server to ignore certificaton failures.
  Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
  If not, a solution would be to have 3 contet_rules
  one, which checks for a existing of http-header which is set when the request is cerfified.
  There i can limit the URL to /webservices/toCaOnly/*
  one cr, which allows any other content
  one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
  I hope i wrote it down clear enough to understand.
  Sven