CSS SSL blade
Hi Gilles
With respect to the SSL blade on the CSS how can I have it configured for the following.
I have one web instance 10.1.1.1:2011. It has a certificate on it "cert" and one domain. Now I want it to service 2 more domains using the certificate cert_a and cert_b. Can I do this? How do I go about this?
Thank you
Regards
Soni
you simply create new ssl_server in your proxylist.
Something like this :
ssl-proxy-list MyList
ssl-server 10 rsakey KEY-A
ssl-server 10 rsacert CERT-A
ssl-server 10 vip address x.x.x.xA
ssl-server 20 rsakey KEY-B
ssl-server 20 rsacert CERT-B
ssl-server 20 vip address x.x.x.xB
You need a new vip address or a new port for each domain. You can't use the same ip:port for different domain because the decryption process starts before we can determine which domain is contained in the HTTP header.
Gilles.
Similar Messages
-
CSS/SSL termination - cypher negotiation Q
Hi everyone
question regarding SSL termination on CSS/SSL module.
I have several several cyphers in my ssl-proxy list,
What is the algorithm to choose the cypher ?
I may assume that CSS and browser negotiate it during SSL session establishing.
The testing shows that same browser gets different cyphers when it hits
different CSSs (cyphers are in the same order in proxy-lists on CSSs)
Thanks
AlexAlex,
it's not really an algorithm.
The browser selects the first cipher that matches its requirements in the list presented by the server/CSS.
The CSS builds a list in the order of weight.
If you did not specify any weight, the list can be random depending in which order you entered the command.
I would say, if you want a specific cipher to be selected, use a highest weight for this cipher.
Gilles. -
How many CSS SSL certificates needed?
From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.
A quick (I hope) follow-up question on this...
Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:
ssl associate rsakey prodkey prodkey.pem
ssl associate cert prodcert prodcert.pem
ssl associate dhparam proddh proddh.pem
ssl associate rsakey intkey intkey.pem
ssl associate cert intcert intcert.pem
ssl associate dhparam intdh intdh.pem -
We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules. I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution. There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.
We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit.
Here are the exact symptoms we saw:
Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds. Further requests on the same TCP connection would not be delayed
Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness. Accessing the same rule skipping SSL, would work fine
I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken. This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
2. Client sends HTTP 1.1 request for resource (nearly instantly)
3. 3 seconds of no traffic in our out of the CSS related to this request
4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
6. Response is sent to the client with the resource (nearly instantly)
7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse. 3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes. Decrypting these messages I found the first message was a
G
and the second message was:
ET /foobar HTTP/1.1
This essentially splits the initial request the client is sending into two pieces. This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
GET /foobar HTTP/1.1
(obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem. I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before.
A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic.
Solution:
Our ssl config looked something like this:
ssl-proxy-list SSL_ACCEL
ssl-server 10 vip address XX.XX.XX.XX
ssl-server 10 rsakey XXXX
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
ssl-server 10 unclean-shutdown
ssl-server 10 rsacert XXXXXX
Removing:
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
Solves the problem. After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message. The 3 second delay goes away, and L5 stickiness is fixed. The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend. The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected. It's quite possible our customers were going through an SSL proxy. I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
-JoeHi Joe,
That's a very good analysis you did.
As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
Regards
Daniel -
CSS SSL Proxy - how can I write the original source address in http header
I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
thanks,
Brianhere is what you can insert with the SSL module :
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
Gilles. -
While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
sh ssl associate rsakey | grep url(dont want to mention name)
i can see the previous as well as the new both key as associated and says yes
while the new should show yes and old should be no
same it is showing for cert
can anyone help me to sort out with this problem what it can be
Thanks in advanceSagar,
Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
After that, perform the "clear ssl file " and "clear ssl file rsakey "
HTH
Dave -
CSS + SSL - unable to create RSA association
Hello,
I am having troubles creating an RSA association on our CSS11506.
Here are the steps I've tried:
1.) I take the original "Digital ID Class 3 - VeriSign Server OnSite" certificate provided to us and move to the CSS via FTP. I have used the openssl verify process to make sure it was a good cert.
CSS-EC1# copy ssl ftp FTPSRV import websrv-gr.pem PEM "thepassword"
Connecting (/)
Completed successfully.
(also at this step - I have tried this with and without a passphrase with the same results)
OpenSSL verify:
C:\OpenSSL\bin>openssl verify -verbose -CAfile .\PEM\verisign.pem websrv-gr.pem
websrv-gr.pem: OK
2.) I then create a certificate association:
CSS-EC1(config)# ssl associate cert WWW websrv-gr.pem
3.) I then attempt to create and RSA association:
CSS-EC1(config)# ssl associate rsakey WWW-RSA websrv-gr.pem
%% File does not contain an RSA key
What can I do to get rid of this error? Does the certificate we recieved from Verisign need to be chained with the Verisign Intermediate certificate?
Any ideas?
Thanks in advance...
Regards,
BenHi
we have a customer with a similar problem,
CSS11501(config)# ssl associate rsakey vimageprivkey privkeyvimages.pem
Error: %% File does not contain an RSA key
The openssl utility has been used to extract the rsakey from the PKCS12 file.
They have used this method numerous times before without this error.
RSA key below:-
Bag Attributes
localKeyID: 31 31 36 33 30 38 34 35 35 32 32 33 30
friendlyName: vimages 2006 certificate
Key Attributes:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4B31C6E8188C1E2C
L2zTgx4mEUBG0465IxpNOfeyoMX8vTXF6TTrClc5BCDqEYa+K8/9yu6ZwQ+GKdV2
WN0NES4mNMyqB+j2K9ysQi59Zw661MSf/ToTLPgbFlI7xK434ZpMiy6K0VIK8cSW
Nz8yTSbjarpsrigUYzoJ83p10a6vVXA/dEDGrMn84EQeYWjQdStcHU8DKmgaOMLY
c3s68BHex2oNOdG4P4Uo4lTG1zmQOyP0aY7KHv0KNVrR/RNSW4j01nAdPZ09YiiZ
Uu83Kvh/kwkGBhGYAr0vnlqPlsdUarfXams39F/Imp3NQdofXsrVencUjST4zjPK
1xpptY2RYa4lCEZBF5+Y00QhxaQR8IuLkh0x2niR/Nz+KBHxOJ8hacB/bcIpZKv0
ikFDiXoGLgRNCRM1qhECyfUk4Gt95J4qKSAsyUNOTjhaz73q+sUPu6eLffwUQ1U2
g6fNcqAu6z5xJkpPjVtGVt+opERqGrnlCW2R6I1QYio+U21p4Cx+7qfxrGGpZtt+
p0kYhEH9ZMODh8QhDEDv7qqLASQ5aQMcJSLIXCrV13R+yN/qr8qOUDKA88a9avIg
cArcSEWSQ91ZxYYIijnqMHNBWs1REM6U/FRuW28yM4JtZTyxB8baZUVczAfOnOja
yAuJ0UVyshNOZxk5W1OJTjrkqY7+JM0CdnJuYUSqvsQb9L3hiAJ/wHzUQw5pN1J3
Igoo6eLoBj2QC2Fgz1TwJEohelF3F+BVlEvjWjPHi5D0r2e1+HDNNjpWWZctebp7
Aw7kguV1bymfiG3stoHkP/VU2MyCznS6vXI/PWh4KgI=
-----END RSA PRIVATE KEY-----
Any Ideas ?? -
CSS SSL and link modification problem
Hi all
We have a problem using our CSS to offload SSL for a site. The offload works for the first connection, but the web application seems to be rewriting relative links as absolute links.
For example, a user hits the site at https://www.mydomain.com. The CSS is configured to terminate the SSL traffic, and then send HTTP to the internal web server on TCP/81.
What we're seeing in the client's browser is that all links are being returned as http://www.mydomain.com:81/... instead of https://www.mydomain.com/...
Any idea of how we can do this without messing around with the web server too much? I.e. is there a way on the CSS to do link translation?
ThanksIf the link are indeed hardcoded like this, there is nothing the CSS can do.
Bad server design.
If the server is returning a redirect to http://... the CSS can intercept it and rewrite it to https.
Please verify if there is a redirect.
Gilles. -
I have a CSS11501 and the decision has been made to load the certificates on the servers instead of using the load balancer ssl module. Is this possible? The ssl termination point will be the servers instead of the css. I don't feel that this is the best way to go, but mgmt does. Can someone please point me in the right direction.
Thanks!As Jeramy mentioned the configuration you have provided will work. However, the services do not require the "port 443" NAT rule to be hardset(services will inherit the port defined within the content rule), the keep-alive check for the services you created are using the default ICMP check, and what would be the reason for the group rule? Do you wish to perform internal load balancing with this rule?
The group rule will SNAT all client requests to appear as the 192.168.20.4 VIP address. Even though the CSS does not support the X-Forwarded-For HTTP option you can accomplish the same thing and be able to hit your VIP internally while preserving the client IP addresses by using ACLs on the CSS.
- Jason -
We have two 11503's each with an SSL module, in a redundant VIP configuration. Can we load the same certificate on both CSS's? Or must we obtain a separate certificate?
Thanks!you can use the same certificate in both CSS.
Gilles. -
Gilles,
Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
Note:- I am not using SSL Module in the CSS.
Thanks in advance...There are two issues
Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
cause the client to change its SSL ID every 2 minutes and this will break
stickyness with application ssl and advanced balance SSL as this is layer 5
stickyness based on SSL session ID. A sniffer trace from the client will
show the ID field change.
You have to be aware that SSL stickiness will only work with SSL v3,
because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
Hope it helps
Syed Iftekhar Ahmed -
Hello,
I need to install an SSL certificate on my CSS but have no access to an FTP/SFTP server.
Can the import be accomplished via the console or some other means?
Thanks,
-AdamGilles,
We actually have an FTP server... it's just that the CSS is inside a DMZ and we are having some issues right now... so just wanted to know if it was possible to get the cert/key files to the CSS by some other means.
Time to fire-up the FileZilla FTP server and hit the management port!
Thanks,
-Adam -
If I have two CSS with SSL module in an ASR config, in case the master CSS fails, will the redundant CSS chassis take over the SSL sessions as well, without the client having to reconnect?
Thx,
Christoswe can save TCP connections but not the ssl info.
So after failover, the traffic will be sent to the new active SSL module which will send a RESET to the client.
The client will normally restart the connection.
If you lose the backend server, the CSS does nothing.
If the client is sending traffic, the SSL module will forward it to the dead server and if we don't get a response during the timeout period the SSL module will reset the connection.
If a new connection is open it will be sent to another active server if one is available.
Regards,
Gilles. -
Hello
I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
my config is
service iis1
ip address 10.0.0.1
active
service iis2
ip address 10.0.0.2
active
service tomcat1
ip address 10.0.0.3
active
service tomcat2
ip address 10.0.0.4
active
owner test
content iis
vip address 10.1.1.1
url "/aspx/*"
advanced-balance arrowpoint-cookie
add service iis1
add service iis2
protocol tcp
port 80
active
content iis_ssl
vip address 10.1.1.1
url "/aspx/*"
advanced-balance ssl
application ssl
add service iis1
add service iis2
protocol tcp
port 443
active
Thanks in advance
JustinThanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?
-
CSS SSL and client certificate
Hello,
In a situation where SSL Traffic is terminated on a SSL Module.
And having clients which to clientcertification.
There are 2 contents aviable on the webserver.
One for certified users and one for both.
Is there a way to restrict a path of a url to clients which performed a client cert?
And have all other content on that server aviable to both , certified and not certified clients?
SvenHi Gilles,
i have not described my problem at all.
Currently we are doing the SSL Termination on a webserver.
There are two locations specified in the apache config.
Like this:
location /webservices/onlytoca>
SSLVerifyClient require
SSLVeridfyDepth 0
So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
The /content is allowed to all.
I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
My question was, is there a way to restrict a url path to clients which did a client certification.
I can set up the ssl-server to ignore certificaton failures.
Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
If not, a solution would be to have 3 contet_rules
one, which checks for a existing of http-header which is set when the request is cerfified.
There i can limit the URL to /webservices/toCaOnly/*
one cr, which allows any other content
one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
I hope i wrote it down clear enough to understand.
Sven
Maybe you are looking for
-
How to read data from a file from a remote area
Hi, i have a jsp page, now i need to read & write data from the file, When i run my program then i give the file path is: "c://sample.txt" if user access this page from remote area to read & write data then what will be the file path? Is there anyone
-
Problems with my second webpage created with iWeb....
Hi, First of all, I'm new to Mac and iWeb. I have created two webpages (very early stage) with iWeb and published both of them, just to test if it would work. The first webpage works fine http://web.mac.com/perallin The second webpage doesn't work fi
-
Glue or Axis ? what's better ?
Which one of these web services is considered better if at all there is a consensus ? and which one of these is more popular ? Thank you ! Scy.
-
Workflow tab is blank on some people's Laptops. NOT User ID dependent.
I am rolling out an MDM project that will have 5-10 users going into Data Manager to add records, change records and others approving changes. We are using Workflow to make this happen but we are running into a problem. We are on version 7.1.03.65
-
Webfonts in Dropdown menu Issue
Im using a webfont sucessfully with the exception of its appearance in my dropdown menu. Thus far Ive not found any information on the proper method to address this issue. Your help will be greatly appreciated