Unlike the other protocols in this chapter, SSL pre-optimization is a transport layer feature: Instead of the protocol being encapsulated inside the TCP layer, the protocol is being encapsulated inside the SSL layer and then encapsulated inside the TCP layer.
Figure 8.46. SSL encapsulated HTTP traffic
.---------------. | HTTP protocol | .---------------. |---------------| | HTTP protocol | | SSL protocol | |---------------| |---------------| | TCP protocol | | TCP protocol | |---------------| |---------------| | IP protocol | | IP protocol | '---------------' '---------------'
SSL encapsulation is not limited to HTTP only. It is used for the encryption of many protocols like HTTP, IMAP, POP3 and SMTP.
To be able to optimize SSL encrypted traffic, SSL licenses are required to enable this feature. You can request them for free from the Riverbed Support website.
This is described in the SSL Secure Peering section in the Operational Related Issues chapter.
To be able to optimize traffic towards an SSL server, you will need to obtain the SSL certificate and the SSL private key of the server.
In this scenario, the company Example Dot Com has a Root CA and an intermediate CA. To get this working the server-side Steelhead appliance needs to know about the CA certificate, the intermediate CA certificate and the server private key and certificate.
If the issuer certificate of the server certificate is not known on the Steelhead appliance, then you need to obtain that issuer certificate too.
Figure 8.47. Missing issuer certificate during the import of the server key and certificate
webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL discovered servers information sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL bypassed servers information webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \ s/add_import; PARAMETERS: name = , exportable = true mgmtd[3958]: [mgmtd.INFO]: while importing www.example.com: code 20 at 0 depth lookup: una \ ble to get local issuer certificate mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/OU=Webserver Department \ /CN=www.example.com/emailAddress=www@example.com mgmtd[3958]: [mgmtd.INFO]: EVENT: /rbt/sport/ssl/event/change/backend_server sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \ ww.example.com]. sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. mgmtd[3958]: [mgmtd.INFO]: verification failed: code 20 at 0 depth lookup: unable to get l \ ocal issuer certificate mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/OU=Webserver Department \ /CN=www.example.com/emailAddress=www@example.com mgmtd[3958]: [mgmtd.NOTICE]: But the certificate did not pass verification, so if the actu \ al backend server uses the same certificate, the appliance might not be able to connec \ t to it. Additional Certificate Authorities might be needed. mgmtd[3958]: [mgmtd.NOTICE]: To avoid potential verification problems at clients (eg, brow \ ser pop-up warnings), additional/correct chain certificates might be needed. webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate \ "www.example.com" added successfully.\nBut the certificate did not pass verification, \ so if the actual backend server uses the same certificate, the appliance might not be \ able to connect to it. Additional Certificate Authorities might be needed.\nTo avoid p \ otential verification problems at clients (eg, browser pop-up warnings), additional/co \ rrect chain certificates might be needed.\n' from gclSession pygs_handle_any_response webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page.
To see which issuer certificate is missing, use the command
show protocol ssl server-cert
:
Figure 8.48. Output of the command "show protocol ssl server-cert"
SSH # show protocol ssl server-cert name www.example.com Name: www.example.com Exportable: yes Certificate Details: Issued To: Common Name: www.example.com Organization: Example Dot Com Locality: Sydney State: NSW Country: AU Serial Number: 1 (0x1) Issued By: Common Name: Example Dot Com Intermediate Certificate Organization: Example Dot Com State: NSW Country: AU Validity: Issued On: Aug 5 08:08:44 2012 GMT Expires On: Aug 5 08:08:44 2013 GMT Fingerprint: SHA1: FB:C5:FF:07:81:08:7D:DF:A8:40:6B:68:15:03:47:63:89:F8:72:2C Key: Type: RSA Size (Bits): 4096 No chain certificates.
This shows that we don't have the certificate of the issuer Example Dot Com Intermediate Certificate.
If the issuer certificate of the server certificate is known on the Steelhead appliance, but the CA Root certificate is not known, then you need to obtain that CA Root certificate too.
Figure 8.49. Missing Root CA certificate missing but intermediate certificate is there
webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLCAs page. webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \ s/add_import; PARAMETERS: name = , exportable = true mgmtd[3958]: [mgmtd.INFO]: while importing www.example.com: code 2 at 1 depth lookup: unab \ le to get issuer certificate mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/CN=Example Dot Com Inte \ rmediate Certificate/emailAddress=intca@example.com mgmtd[3958]: [mgmtd.INFO]: EVENT: /rbt/sport/ssl/event/change/backend_server sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \ ww.example.com]. sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. mgmtd[3958]: [mgmtd.INFO]: verification failed: code 2 at 1 depth lookup: unable to get is \ suer certificate mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/CN=Example Dot Com Inte \ rmediate Certificate/emailAddress=intca@example.com mgmtd[3958]: [mgmtd.NOTICE]: But the certificate did not pass verification, so if the actu \ al backend server uses the same certificate, the appliance might not be able to connec \ t to it. Additional Certificate Authorities might be needed. mgmtd[3958]: [mgmtd.NOTICE]: Certificate Authority "Example_Dot_Com_Intermediate_CA" autom \ atically added to the certificate chain. To avoid potential verification problems at c \ lients (eg, browser pop-up warnings), additional/correct chain certificates might be n \ eeded. webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate \ "www.example.com" added successfully.\nBut the certificate did not pass verification, \ so if the actual backend server uses the same certificate, the appliance might not be \ able to connect to it. Additional Certificate Authorities might be needed.\nCertificat \ e Authority "Example_Dot_Com_Intermediate_CA" automatically added to the certificate c \ hain.\nTo avoid potential verification problems at clients (eg, browser pop-up warning \ s), additional/correct chain certificates might be needed.\n' from gclSession pygs_han \ dle_any_response webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page.
The difference here is that the string
Certificate Authority "Example_Dot_Com_Intermediate_CA" automatically added to the certificate chain
has been added, which shows that the issuer of the server certificate
is known.
Again, the command
show protocol ssl server-cert
can be used to see which one is expected:
Figure 8.50. Output of the command "show protocol ssl server-cert" for a chained certificate
SSH # show protocol ssl server-cert name www.example.com Name: www.example.com Exportable: yes Certificate Details: Issued To: Common Name: www.example.com Organization: Example Dot Com Locality: Sydney State: NSW Country: AU Serial Number: 1 (0x1) Issued By: Common Name: Example Dot Com Intermediate Certificate Organization: Example Dot Com State: NSW Country: AU Validity: Issued On: Aug 5 08:08:44 2012 GMT Expires On: Aug 5 08:08:44 2013 GMT Fingerprint: SHA1: FB:C5:FF:07:81:08:7D:DF:A8:40:6B:68:15:03:47:63:89:F8:72:2C Key: Type: RSA Size (Bits): 4096 Chain certificates: Name (Issued To) DF095A93A56EA5A63C9286673A84AB22 (Example Dot Com Intermediate Certificate) SSH # show protocol ssl server-cert name www.example.com chain-cert DF095A93A56EA5A63C9286 \ 673A84AB22 certificate Issued To: Common Name: Example Dot Com Intermediate Certificate Organization: Example Dot Com State: NSW Country: AU Serial Number: 1 (0x1) Issued By: Common Name: Example Dot Com Root Certificate Organization: Example Dot Com Locality: Sydney State: NSW Country: AU Validity: Issued On: Aug 5 08:01:14 2012 GMT Expires On: Aug 5 08:01:14 2013 GMT Fingerprint: SHA1: C3:D8:46:D6:A3:5B:F7:7D:1E:2E:C4:E9:DC:89:1D:AD:AF:4E:95:2F Key: Type: RSA Size (Bits): 4096
This shows that we don't have the certificate of the issuer Example Dot Com Root Certificate.
Figure 8.51. Successful import of the server certificate
webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \ s/add_import; PARAMETERS: name = , exportable = true mgmtd[3958]: [mgmtd.INFO]: EVENT: /rbt/sport/ssl/event/change/backend_server sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \ ww.example.com]. sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. mgmtd[3958]: [mgmtd.NOTICE]: Certificate Authority "DF095A93A56EA5A63C9286673A84AB22" auto \ matically added to the certificate chain. webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate \ "www.example.com" added successfully.\nCertificate Authority "DF095A93A56EA5A63C928667 \ 3A84AB22" automatically added to the certificate chain.\n' from gclSession pygs_handle \ _any_response webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL discovered servers information sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL bypassed servers information
In the GUI of the client-side Steelhead appliance, add an in-path rule towards the SSL server with SSL as the Pre-optimization Policy:
No change is needed on the server-side Steelhead appliance, as the peering rules will take care of it.
If the SSL pre-optimization is working, after the setup of the TCP session data reduction should be seen and the server should show up as discovered in the SSL discovery list:
Figure 8.53. SSL discovery list
SSH # show protocol ssl backend disc-table Discovered servers: # Server Name IP Port Certificate Name ---- ------------------------- --------------- ----- ------------------------- 1 www.example.com 192.168.1.1 443 www.example.com