You can test and troubleshoot the PCA servers in your SSL pool.
The following utilities are available to help you troubleshoot your SSL pool.
Header | Header |
---|---|
Memping |
Pings the PCA server using the IP address and port number that is displayed. |
Memstats |
Displays statistics from the listed PCA server. |
Memflush |
Warning: Data is lost when you run this utility. It is recommended to contact Support before you use the
Memflush utility.Flushes all of the stored SSL session information from the PCA server cache. |
Symptoms
When visitors to your web application use SSL through Firefox 3 and then stop, after they resume their session, hits are not captured by the PCA. It is because of the Firefox default support of this SSL extension.
When the Firefox browser negotiates the SSL handshake with your web server to resume the session, the browser is expecting that the server supplies a 32-byte SSL unique session identifier back to the client browser.
- The intention of the feature is to reuse SSL session key information and reduce SSL usage in later SSL sessions.
Since Tealeaf does not support this SSL extension, it has no awareness of this 32-byte SSL identifier. Without this ID, the PCA is unable to decrypt any further SSL traffic by using the ID in resumed SSL sessions.
In the following examples, you can see how session identifiers are delivered to the visitor who is resuming a session in Firefox 3 versus Internet Explorer.
For Firefox:
SSL cipher used: Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Session ID Length: 0
For IE:
SSL cipher used: Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Session ID Length: 32
Session ID: 2FD9AAAEE999B2EA3DEF8FA005CD0CDD3D6EAE62E05E4975...
As you can see above, the Firefox SSL session ID length is 0, providing no usable value.
This new SSL TLSv1 protocol extension for stateless session resumption, which is known as SessionTicket extension, encrypts the SSL state information such as the SSL session identifier into a "ticket" package that both the client browser and server must use.
Currently, Firefox is the only browser using this extension by default. For acceptance of this extension, the server must support it as well.
To Fix
Currently, the only method to address the issue is to disable use of this SSL extension at the web server or web proxy.
To circumvent the issue as an individual user, you can disable the use of this extension through Firefox.
- In the Firefox menu, select Tools > Options > Advanced > Encryption tab.
- In the Protocols section, clear the Use TLS 1.0 check box.
- Select the Use SSL 3.0 check box.
- Click OK and save your changes.
If your proxy server manages the SSL processing, you can disable use of the SSL TLSv1 SessionTicket extension feature at the proxy. Refer to the documentation that came with your proxy server product.
Apache Web Servers
Depending on the version of Apache, this feature can be enabled by default. The latest Apache mod_ssl uses openSSL 9.8j or later, which enables this TLS SessionTicket extension by default.
To disable:
- On the web server machine, edit
/usr/local/apache2/conf/httpd.conf
. - Add the following snippet to the corresponding location in the file:
SSLEngine on SSLOptions +StrictRequire <Directory /> SSLRequireSSL </Directory> SSLProtocol +all -TLSv1 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM:!DH
Note: In the above, the!DH
reference removes the Diffie-Hellman encryption algorithm, which is required for all Tealeaf solutions. - Save the file.
- Restart the Apache service.
For more information, see http://www.securityfocus.com/infocus/1818.
Non-Apache Web Servers
Most web servers do not provide an easy method of disabling use of the extension. You can be able to disable this extension by disabling the use of TLS 1.0 through the web server configuration options. For specific details, consult the product documentation.