Backend SSL Connection Fails on ADC due to missing extensions

Backend SSL Connection Fails on ADC due to missing extensions

book

Article ID: CTX228865

calendar_today

Updated On:

Description

When using Secure-LDAP which uses port 636 (TCPs) or while making connection to server listening on secure port, it fails in SSL handshake phase. 

 

 

 

Resolution

Support for secure negotiation on backend is added in the ADC version 11.1 and above.
 

Problem Cause

Renegotiate extension missing in Client Hello sent by ADC causing the failure of SSL Handshake

Client Hello missing renegotiate extension when it fails

without-renegotiate-ext
When SSL-renegotiate extension is present it appears as below

with-renegotiate-ext

Issue/Introduction

when using Secure-LDAP which uses port 636(TCPs) it fails services/monitor reason for failure is SSL extension "renegotiation" is missing in client hello by NetScaler

Additional Information

CTX121925 - SSL Renegotiation Process and Session Reuse on ADC Appliance
CTX123680 - Configure "-denySSLReneg" Parameter to Disable Client Side and Server Side SSL Renegotiation on ADC
Citrix Blog -  Citrix Gateway ssl renegotiation feature



 
Powered by Wolken Software