Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 15, 2015

SSL enabled server requires private key after update from 10 to 11

Hi,

 

I am still waiting for VS and profile config but maybe somebody experienced similar issue.

 

Scenario (from what I know right now)

 

  • VS is used to connect from internal network to some external service offered by partner
  • VS is using https (still don't know if it's pass through, decrypt/encrypt or proxySSL - I guess this was not supported on 10.1?)

According to info I have in version 10.1 partner private key was not necessary but after update VS stopped to communicate because it now requires partner private key - which is of course not available.

 

Any ideas?

 

Piotr

 

7 Replies

  • OK, it turned out that this is standard http server with serverssl profile only. As such I doubt there is any need for remote server private key. What I suspect is problem with ciphers. serverssl profile is using DEFAULT. As far as I know DEFAULT profile in 10.1 and 11.6 is quite different. In 11.6 plenty of unsecure ciphers was removed/disabled in DEFAULT. What would be the easiest way to check what highest possible cipher remote server can accept - without using BIG-IP (I mean in advance before switching from 10.1 to 11.6)? Piotr
  • According to info I have in version 10.1 partner private key was not necessary but after update VS stopped to communicate because it now requires partner private key - which is of course not available.

     

    what is it now requires partner private key? is it error log or something else?

     

    if it is a log, i do not think the problem is about cipher suite.

     

    What would be the easiest way to check what highest possible cipher remote server can accept - without using BIG-IP

     

    you may find script in Internet that checks ciphers server supports.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Well. right now I am estimating issue on scarce resources. Just received VS config listing as well as clentssl profile. I don't know if there were any errors in log. Still what could be the reason for failed connection after 11.6 update if not cipher? Piotr
  • According to info I have in version 10.1 partner private key was not necessary but after update VS stopped to communicate because it now requires partner private key - which is of course not available.

     

    what is it now requires partner private key? is it error log or something else?

     

    if it is a log, i do not think the problem is about cipher suite.

     

    What would be the easiest way to check what highest possible cipher remote server can accept - without using BIG-IP

     

    you may find script in Internet that checks ciphers server supports.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Well. right now I am estimating issue on scarce resources. Just received VS config listing as well as clentssl profile. I don't know if there were any errors in log. Still what could be the reason for failed connection after 11.6 update if not cipher? Piotr
  • Hi,

     

    I wonder what is purpose of using certificate (in Configuration section) except to enable client certificate based authentication (like in browser). Any other reasons?

     

    Piotr

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      BTW, issue after update to 11.6 is that in this version when certificate is specified in serverssl profile then matching private key is required. There is no way to save profile with only certificate (what is logical if certificate is used for client authentication). In 10.1 it seems to be possible - I have profile configuration from 10.1 and there is only certificate specified without private key. Right now I don't know if client authentication is really used for this connection - waiting for answer from customer but I doubt it as it would not be possible if only certificate was configured in profile without private key - or maybe I am wrong? Here is serverssl config used for this VS server-ssl profile_ssl { alert-timeout 60 authenticate once authenticate-depth 9 authenticate-name none ca-file none cache-size 20000 cache-timeout 3600 cert certificate.crt chain none ciphers DEFAULT crl-file none defaults-from serverssl handshake-timeout 60 key none mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } partition Common passphrase none peer-cert-mode ignore renegotiate-period indefinite renegotiate-size indefinite strict-resume disabled unclean-shutdown enabled Piotr