If you temporarily issue the command
(conf t) no protocol backend server verify
(verify is hidden)
If the problem goes away it shows the CA certificate is not being trusted by the SSH for some reason. Please remember to take the command straight off again, as the SH will trust anything during that period.
Hi again Ken
The command only changes the way the SH shakes hands with the backend server, so it is only SSH that need it. Basically it will trust any certificate signed by CA s that it has never heard of. My thinking is to use it to find out if it is a trust issue or something more complex within TLS. My only concern is that it is inconsistent. However it will tell us something.
I can’t think of any problems that it will cause.
However, are you going through a load balancer? That might be why it works sometimes and not others. The SSL may be terminated there, as opposed to the server itself. As such we could get different results.
Hi all, thanks for your help.
A little more info.
Using ssl-connect I'm able to discern that TLSv1.1 and TLSv1.2 give us the above error - 'wrong version number'
Now we are using RIOS 9.2. Does this version support/try TLSv1 or SSLv3 by default?
On an earlier RIOS version I'm seeing that optimisation works still.
This is from 9.2 release notes. The first point seems relevant. BTW Thanks, I forgot about the SSL CONNECT command.
- TLS 1.2 Support - Transport Layer Security (TLS) 1.2 is enabled by default and upon upgrade for client-side and server-side SteelHeads for improved security.
- OpenSSL 1.0.2 Support - The SteelHead support for the SSL protocol stack is based on OpenSSL 1.0.2. This version includes support for camillia ciphers, krb5 ciphers, and ECDHE cipher negotiation.
- SafeNet Hardware Security Module (HSM) Support for SSL Certificates - You can store proxy private keys and certificates on SafeNet Luna HSM devices for SSL optimization.
20 SteelHead Installation and Configuration Guide
Upgrading RiOS to 9.2 Product Overview
- SHA2 Support for Proxy Certificate - The SteelHead uses SHA-512 for proxy certificate signature hash.
- Subject Alternative Name (SAN) with SSL Proxy Certificate - Includes Subject Alternative Name field checking when the SteelHead returns a proxy certificate.