8.11. SSL Pre-optimization

Unlike the other protocols in this chapter, SSL pre-optimization is a transport layer feature: Instead of the protocol being encapsulated inside the TCP layer, the protocol is being encapsulated inside the SSL layer and then encapsulated inside the TCP layer.

Figure 8.46. SSL encapsulated HTTP traffic

                        .---------------.
                        | HTTP protocol |
      .---------------. |---------------|
      | HTTP protocol | | SSL protocol  |
      |---------------| |---------------|
      | TCP protocol  | | TCP protocol  |
      |---------------| |---------------|
      | IP protocol   | | IP protocol   |
      '---------------' '---------------'

SSL encapsulation is not limited to HTTP only. It is used for the encryption of many protocols like HTTP, IMAP, POP3 and SMTP.

8.11.1. Configuration on the Steelhead appliances

8.11.1.1. Obtain an SSL license

To be able to optimize SSL encrypted traffic, SSL licenses are required to enable this feature. You can request them for free from the Riverbed Support website.

8.11.1.2. Configuring SSL peering

This is described in the SSL Secure Peering section in the Operational Related Issues chapter.

8.11.1.3. Server Certificate and Server Private Key

To be able to optimize traffic towards an SSL server, you will need to obtain the SSL certificate and the SSL private key of the server.

In this scenario, the company Example Dot Com has a Root CA and an intermediate CA. To get this working the server-side Steelhead appliance needs to know about the CA certificate, the intermediate CA certificate and the server private key and certificate.

8.11.1.3.1. Import of the server private key and certificate with the issuer certificate missing.

If the issuer certificate of the server certificate is not known on the Steelhead appliance, then you need to obtain that issuer certificate too.

Figure 8.47. Missing issuer certificate during the import of the server key and certificate

webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL discovered servers information 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL bypassed servers information 
webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \
    s/add_import; PARAMETERS: name = , exportable = true 
mgmtd[3958]: [mgmtd.INFO]: while importing www.example.com: code 20 at 0 depth lookup: una \
    ble to get local issuer certificate  
mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/OU=Webserver Department \
    /CN=www.example.com/emailAddress=www@example.com 
mgmtd[3958]: [mgmtd.INFO]: EVENT:  /rbt/sport/ssl/event/change/backend_server 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \
    ww.example.com]. 
sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" 
mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. 
mgmtd[3958]: [mgmtd.INFO]: verification failed: code 20 at 0 depth lookup: unable to get l \
    ocal issuer certificate  
mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/OU=Webserver Department \
    /CN=www.example.com/emailAddress=www@example.com 
mgmtd[3958]: [mgmtd.NOTICE]: But the certificate did not pass verification, so if the actu \
    al backend server uses the same certificate, the appliance might not be able to connec \
    t to it. Additional Certificate Authorities might be needed. 
mgmtd[3958]: [mgmtd.NOTICE]: To avoid potential verification problems at clients (eg, brow \
    ser pop-up warnings), additional/correct chain certificates might be needed.  
webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate  \
    "www.example.com" added successfully.\nBut the certificate did not pass verification,  \
    so if the actual backend server uses the same certificate, the appliance might not be  \
    able to connect to it. Additional Certificate Authorities might be needed.\nTo avoid p \
    otential verification problems at clients (eg, browser pop-up warnings), additional/co \
    rrect chain certificates might be needed.\n' from gclSession pygs_handle_any_response 
webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. 

To see which issuer certificate is missing, use the command show protocol ssl server-cert:

Figure 8.48. Output of the command "show protocol ssl server-cert"

SSH # show protocol ssl server-cert name www.example.com
Name: www.example.com
Exportable: yes

Certificate Details:
Issued To:
  Common Name:       www.example.com
  Organization:      Example Dot Com
  Locality:          Sydney
  State:             NSW
  Country:           AU
  Serial Number:     1 (0x1)
Issued By:
  Common Name:       Example Dot Com Intermediate Certificate
  Organization:      Example Dot Com
  State:             NSW
  Country:           AU
Validity:
  Issued On:         Aug  5 08:08:44 2012 GMT
  Expires On:        Aug  5 08:08:44 2013 GMT
Fingerprint:
  SHA1:              FB:C5:FF:07:81:08:7D:DF:A8:40:6B:68:15:03:47:63:89:F8:72:2C
Key:                 
  Type:              RSA
  Size (Bits):       4096

No chain certificates.

This shows that we don't have the certificate of the issuer Example Dot Com Intermediate Certificate.

8.11.1.3.2. Import of the server private key and certificate with the intermediate certificate available but the Root CA certificate missing

If the issuer certificate of the server certificate is known on the Steelhead appliance, but the CA Root certificate is not known, then you need to obtain that CA Root certificate too.

Figure 8.49. Missing Root CA certificate missing but intermediate certificate is there

webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLCAs page. 
webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \
    s/add_import; PARAMETERS: name = , exportable = true 
mgmtd[3958]: [mgmtd.INFO]: while importing www.example.com: code 2 at 1 depth lookup: unab \
    le to get issuer certificate  
mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/CN=Example Dot Com Inte \
    rmediate Certificate/emailAddress=intca@example.com 
mgmtd[3958]: [mgmtd.INFO]: EVENT:  /rbt/sport/ssl/event/change/backend_server 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \
    ww.example.com]. 
sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" 
mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. 
mgmtd[3958]: [mgmtd.INFO]: verification failed: code 2 at 1 depth lookup: unable to get is \
    suer certificate  
mgmtd[3958]: [mgmtd.INFO]: /C=AU/ST=NSW/L=Sydney/O=Example Dot Com/CN=Example Dot Com Inte \
    rmediate Certificate/emailAddress=intca@example.com 
mgmtd[3958]: [mgmtd.NOTICE]: But the certificate did not pass verification, so if the actu \
    al backend server uses the same certificate, the appliance might not be able to connec \
    t to it. Additional Certificate Authorities might be needed. 
mgmtd[3958]: [mgmtd.NOTICE]: Certificate Authority "Example_Dot_Com_Intermediate_CA" autom \
    atically added to the certificate chain. To avoid potential verification problems at c \
    lients (eg, browser pop-up warnings), additional/correct chain certificates might be n \
    eeded.  
webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate  \
    "www.example.com" added successfully.\nBut the certificate did not pass verification,  \
    so if the actual backend server uses the same certificate, the appliance might not be  \
    able to connect to it. Additional Certificate Authorities might be needed.\nCertificat \
    e Authority "Example_Dot_Com_Intermediate_CA" automatically added to the certificate c \
    hain.\nTo avoid potential verification problems at clients (eg, browser pop-up warning \
    s), additional/correct chain certificates might be needed.\n' from gclSession pygs_han \
    dle_any_response 
webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. 

The difference here is that the string Certificate Authority "Example_Dot_Com_Intermediate_CA" automatically added to the certificate chain has been added, which shows that the issuer of the server certificate is known.

Again, the command show protocol ssl server-cert can be used to see which one is expected:

Figure 8.50. Output of the command "show protocol ssl server-cert" for a chained certificate

SSH # show protocol ssl server-cert name www.example.com
Name: www.example.com
Exportable: yes

Certificate Details:
Issued To:
  Common Name:       www.example.com
  Organization:      Example Dot Com
  Locality:          Sydney
  State:             NSW
  Country:           AU
  Serial Number:     1 (0x1)
Issued By:
  Common Name:       Example Dot Com Intermediate Certificate
  Organization:      Example Dot Com
  State:             NSW
  Country:           AU
Validity:
  Issued On:         Aug  5 08:08:44 2012 GMT
  Expires On:        Aug  5 08:08:44 2013 GMT
Fingerprint:
  SHA1:              FB:C5:FF:07:81:08:7D:DF:A8:40:6B:68:15:03:47:63:89:F8:72:2C
Key:                 
  Type:              RSA
  Size (Bits):       4096

Chain certificates:
  Name  (Issued To)
  DF095A93A56EA5A63C9286673A84AB22  (Example Dot Com Intermediate Certificate)

SSH # show protocol ssl server-cert name www.example.com chain-cert DF095A93A56EA5A63C9286 \
    673A84AB22 certificate 
Issued To:
  Common Name:       Example Dot Com Intermediate Certificate
  Organization:      Example Dot Com
  State:             NSW
  Country:           AU
  Serial Number:     1 (0x1)
Issued By:
  Common Name:       Example Dot Com Root Certificate
  Organization:      Example Dot Com
  Locality:          Sydney
  State:             NSW
  Country:           AU
Validity:
  Issued On:         Aug  5 08:01:14 2012 GMT
  Expires On:        Aug  5 08:01:14 2013 GMT
Fingerprint:
  SHA1:              C3:D8:46:D6:A3:5B:F7:7D:1E:2E:C4:E9:DC:89:1D:AD:AF:4E:95:2F
Key:                 
  Type:              RSA
  Size (Bits):       4096

This shows that we don't have the certificate of the issuer Example Dot Com Root Certificate.

8.11.1.3.3. Import of the server private key and certificate with the intermediate certificate and Root CA certificate available

Figure 8.51. Successful import of the server certificate

webasd[7055]: [web.NOTICE]: web: user admin: SSL ACTION: /rbt/sport/ssl/action/server_cert \
    s/add_import; PARAMETERS: name = , exportable = true 
mgmtd[3958]: [mgmtd.INFO]: EVENT:  /rbt/sport/ssl/event/change/backend_server 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} dyn config modify/add SSL server certificate [w \
    ww.example.com]. 
sport[7402]: [sslmodule.INFO] - {- -} Added a certificate with name "www.example.com" 
mgmtd[3958]: [mgmtd.NOTICE]: Server certificate "www.example.com" added successfully. 
mgmtd[3958]: [mgmtd.NOTICE]: Certificate Authority "DF095A93A56EA5A63C9286673A84AB22" auto \
    matically added to the certificate chain.  
webasd[7055]: [web.INFO]: web: Received return code 0, return message 'Server certificate  \
    "www.example.com" added successfully.\nCertificate Authority "DF095A93A56EA5A63C928667 \
    3A84AB22" automatically added to the certificate chain.\n' from gclSession pygs_handle \
    _any_response 
webasd[7055]: [web.INFO]: web: User admin viewing setupServiceProtocolsSSLMain page. 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL discovered servers information 
sport[7402]: [sport/mgmt/ssl.INFO] - {- -} getting SSL bypassed servers information 

8.11.1.4. Configure an in-path rule with SSL pre-optimization

In the GUI of the client-side Steelhead appliance, add an in-path rule towards the SSL server with SSL as the Pre-optimization Policy:

Figure 8.52. SSL Pre-optimization in-path rule

SSL Pre-optimization in-path rule

No change is needed on the server-side Steelhead appliance, as the peering rules will take care of it.

8.11.2. Test the optimization of the SSL pre-optimization

8.11.2.1. Test the optimization of the SSL session

If the SSL pre-optimization is working, after the setup of the TCP session data reduction should be seen and the server should show up as discovered in the SSL discovery list:

Figure 8.53. SSL discovery list

SSH # show protocol ssl backend disc-table
Discovered servers:
   # Server Name               IP              Port  Certificate Name           
---- ------------------------- --------------- ----- -------------------------  
   1 www.example.com           192.168.1.1     443   www.example.com