02-14-2012 09:38 AM
I am having problems to setup SSL termination with a 4096bit RSA SSL key.
My config is the following on a Serveriron 4g-SSL SW: 10.2.01yTJ3
When i am using a 1024bit RSA key which was uploaded exactly the same way as the 4096 bit key eveything is working perfectly, but with the 4096 bit key gives the following error:
openssl s_client -connect URL:443 -state
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
depth=1 /C=US/O=Trusted Secure Certificate Authority/CN=Trusted Secure Certificate Authority
depth=0 /C=GB/postalCode=POSTCODE /ST=STATE /L=CITY /streetAddress=ADDRESS/streetAddress=ADDRESS House/O=COMAPNY /OU=COMPANY /OU=Provided by COMPANY/OU=Enterprise SSL Wildcard/CN=*.domain
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
19695:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
When i am accessing the site with direct connection to the webserver without the loadbalancer the SSL key is perfect which is the same as the one which was installed on the loadbalancer. Chrome reports AES_256_CBC with SHA1 and DHE_RSA as key exchange mech.
Keys and certificates perfectly readable by the loadbalancer, when i am downloading back again they are the same as they were uploaded and working perfectly just with a pure webserver.
So it terminates the connection before the handshake.
Can it be a supported ciphersuit issue, or am i missing something here?
Thank you for any idea,suggestion,help
02-14-2012 03:51 PM
Maximum supported SSL key is 2048 bit on JetCore platform such as SI-4G-SSL. 4096 is not supported on JetCore platform and it won't work as you see.
On ADX platform, I have confirmed that 4096 bit modulus worked without any isssue.
But, we don't have officially support 4096 bit modulus on ADX either if we look at manual below.