Compatibility Issues with the LoadMaster and Cisco IronPort

OpenSSL 1.01g included a fix for the Heartbleed Vulnerability but also adds a new TLS Padding Extension. As a result of this, LoadMaster initiated connections to IronPort fail SSL negotiation.
Sample Stream
Cisco IronPort spam Release:
1 0.000000000 TCP 62 5825→83 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 WS=128
2 0.000258000 TCP 62 83→5825 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1380 WS=8
3 0.000401000 TCP 60 5825→83 [ACK] Seq=1 Ack=1 Win=14720 Len=0
4 0.000780000 TLSv1 571 Client Hello
5 0.001061000 TCP 60 83→5825 [ACK] Seq=1 Ack=518 Win=16040 Len=0
6 0.001064000 TLSv1 61 Alert (Level: Fatal, Description: Decode Error)
7 0.001187000 TCP 60 5825→83 [ACK] Seq=518 Ack=8 Win=14720 Len=0
8 0.001261000 TCP 60 83→5825 [FIN, ACK] Seq=8 Ack=518 Win=16560 Len=0
9 0.003989000 TCP 60 5825→83 [FIN, ACK] Seq=518 Ack=9 Win=14720 Len=0
Cisco IronPort (versions before 8.0.1-108) has issues with this TLS Padding extension. For more information on these issues, refer to the following link:
As a result of these issues, a session initiated from a client using OpenSSL version 1.01g or above, for example a LoadMaster with version 7.1-14 or above, may fail.
To fix this problem, upgrade IronPort to the latest firmware version (8.0.1-108 or above).
Was this article helpful?

0 out of 0 found this helpful