TLS Renegotiation Extension warning after upgrade to 10.1

Have you validated your SSL VS configuration? The encrypted and unencrypted content error is always an interesting one.

How would I do that? BTW no VS config or web site code has changed. I have renewed a couple of SSL certs and updated the relevant client SSL profiles to get rid of some chaining issues, but they're OK now.

Posted By ringoseagull on 08/17/2010 07:15 AM

 

How would I do that? BTW no VS config or web site code has changed. I have renewed a couple of SSL certs and updated the relevant client SSL profiles to get rid of some chaining issues, but they're OK now.

 

 

So you're just using a Standard VS would client-ssl profile, right? What, if any, options are enabled/disabled on the client profile?

I think it was in 10.1 that a new client SSL option for enabling/disabling SSL renegotation was added. It should be set to disabled by default. You'll see a warning in /var/log/ltm when LTM requests/requires a client cert (based on a client SSL profile client cert setting or an iRule that calls SSL::renegotiate). If you don't enable SSL renegotiation on the client SSL profile, LTM will not renegotiate the SSL handshake.

 

 

Is that the type of info you were looking for? If not, can you clarify?

 

 

Also, I don't know of anything that LTM would do in 10.1 versus older 9.x versions which would cause insecure content warnings on the browser. Is it possible that the client config has changed or you're testing with a new client?

 

 

Aaron

Yes, no boxes ticked in the client-ssl profile.

 

 

Can you explain what you meant by validating SSL VS configuration?