VPX on SDX 22000 - 12.1 build 55.18 - SSL card going down due to unsupported ECDSA ECC Curves

VPX on SDX 22000 - 12.1 build 55.18 - SSL card going down due to unsupported ECDSA ECC Curves

book

Article ID: CTX289457

calendar_today

Updated On:

Description

SSL card on primary and secondary devices are showing failed and then both devices have become secondary.

In the newnslog, the counter ssl_err_cardstatusdown  will get incremented.

In the packet trace, you can see the Client certificate with ECDSA ECC Curve 224. 

 

Resolution


SOLUTION: 

The fix is available in 12.1 build 61.x which would tentatively gets released by mid or end of Jan 2021.

The fix will drop the SSL packets arriving to ADC with unsupported ECC curves (i.e ECDSA ECC curve 224)  so as to prevent the SSL card from going down.

NOTE 1: From 12.1 build 61.x onwards we have added a new counter (ssl_err_ssl3_client_ecdsa_primsize_not_supported) to confirm if  the Citrix ADC has received SSL packet with unsupported ECC curve.

NOTE 2: The fix will prevent the SSL Card from going down in receipt of unsupported ECC curves. However, the SSL Handshake between Client and ADC will still fail due to unsupported ECC Curves. Hence, customer has to provide a client certificate with supported ECC curves i.e ( ECDSA ECC curve 256 or 384) to ensure the SSL handshake is getting succeeded.


WORK-AROUND:

To delay the HA failover due to SSL Card doing down in receipt of unsupported ciphers, badsslcard failoverlimit(number of failed ssl card which triggers failover) can be increased through nsapimgr.
Default value for limit is 2.
 
Note:- This is not a fix, but it can be used as workaround to delay the failover.

Below is the command which can be used to achieve this.
From shell prompt,

To check the number of SSL Card present on Citrix ADC:

> stat ssl
exec: stat ssl
SSL Summary

# SSL cards present                               16
# SSL cards UP                                    16


To check current limit:-

root@ns1# nsapimgr -d allvariables | grep badsslcard_failoverlimit
badsslcard_failoverlimit:             2
 
To change the limit:-

root@ns1# nsapimgr -ys badsslcard_failoverlimit= < Number of Bas\d SSL card   limit that you want to set to prevent the HA failover>
.
 Ex: root@ns1# nsapimgr -ys badsslcard_failoverlimit= 5

The above command will not trigger the HA failover until 5 SSL cards have gone DOWN.

To verify if change is applied:-

root@ns1# nsapimgr -d allvariables | grep badsslcard_failoverlimit
badsslcard_failoverlimit:             5
 

 
 

Problem Cause

Working as per design. SSL Cavium card on SDX 22000 will not support ECDSA Curve 224. It will support 256 and 384 ECC Curves.
Powered by Wolken Software