Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 5
Registered: ‎02-14-2012

SSL-Termination problem 4096 bit RSA SSL key

Hi,

I am having problems to setup SSL termination with a 4096bit RSA SSL key.

My config is the following on a Serveriron 4g-SSL SW: 10.2.01yTJ3

ssl profile profilename
keypair-file keyname
certificate-file certname
cipher-suite all-cipher-suites
enable-certificate-chaining
session-cache off
csw-policy "p1"
default forward 1
default rewrite request-insert client-ip
server virtual dev_membership x.x.x.x
acl-id 10
sticky-age 5
predictor weighted
port http sticky
port http csw-policy "p1"
port http csw
port http request-insert client-ip "X-Forwarded-For"
port ssl
no port ssl sticky
port ssl ssl-terminate star_url_com
port ssl csw-policy "p1"
port ssl csw
port ssl request-insert client-ip "X-Forwarded-For"
port dns
bind http eurwebdev03 http
bind ssl eurwebdev03 8081 real-port http

When i am using a 1024bit RSA key which was uploaded exactly the same way as the 4096 bit key eveything is working perfectly, but with the 4096 bit key gives the following error:

openssl s_client -connect URL:443 -state

CONNECTED(00000003)

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 read server hello A

depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority

verify return:1

depth=1 /C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority

verify return:1

depth=0 /C=GB/postalCode=POSTCODE /ST=STATE /L=CITY /streetAddress=ADDRESS/streetAddress=ADDRESS House/O=COMAPNY /OU=COMPANY /OU=Provided by COMPANY/OU=Enterprise SSL Wildcard/CN=*.domain

verify return:1

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:failed in SSLv3 read finished A

19695:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

When i am accessing the site with direct connection to the webserver without the loadbalancer the SSL key is perfect which is the same as the one which was installed on the loadbalancer. Chrome reports AES_256_CBC with SHA1 and DHE_RSA as key exchange mech.

Keys and certificates perfectly readable by the loadbalancer, when i am downloading back again they are the same as they were uploaded and working perfectly just with a pure webserver.

So it terminates the connection before the handshake.

Can it be a supported ciphersuit issue, or am i missing something here?

Thank you for any idea,suggestion,help

Peter

Contributor
Posts: 47
Registered: ‎07-14-2010

Re: SSL-Termination problem 4096 bit RSA SSL key

Maximum supported SSL key is 2048 bit on JetCore platform such as SI-4G-SSL. 4096 is not supported on JetCore platform and it won't work as you see.

On ADX platform, I have confirmed that 4096 bit modulus worked without any isssue.

But, we don't have officially support 4096 bit modulus on ADX either if we look at manual below.

-------------

ServerIron_12400_SecurityGuide.pdf

NOTE

The ServerIron ADX does not support key strength greater than 2048 bits.

-------------

Thanks.

//Kono

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook