FortiOS Load Balancing with SSL Offload and SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET
I recently setup a VIP (Virtual IP) Server Load Balancer on a Fortigate 300D firewall which balances traffic between several HTTP/API servers utilizing SSL offload on the Fortigate.
Aside from the benefit in performance of SSL offload, the other obvious reason is to avoid having to maintain a certificate on several servers and update them each time they expire. You only need to update the certificate once, on the firewall or load balancer.
My setup looked roughly like this:
*Public addresses have been replaced by 192.0.2.1/20
The configuration I had was causing issues with Firefox and Chrome intermittently reporting an error due to Secure Connection Failed - SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET. This could be replicated in Firefox by holding CTRL and F5 - every second request would cause the error page below:
After some online research I found browsers in the last 9 months or so have started supporting EXTENDED_MASTER_SECRET [more on this here]
In order to resolve this on Fortinet FortiOS (atleast on 5.2.5) I have added the line in red below to my configuration which keep no SSL session states.
config firewall vip
edit "WAN1-192.0.2.2-HTTPS"
set type server-load-balance
set extip 192.0.2.2
set extintf "wan1"
set server-type https
set monitor "API-ContentCheck" "ping"
set persistence ssl-session-id
set extport 443
config realservers
edit 1
set ip 10.8.9.11
set port 80
next
edit 2
set ip 10.8.9.12
set port 80
next
edit 3
set ip 10.8.9.13
set port 80
next
edit 4
set ip 10.8.9.14
set port 80
next
end
set ssl-certificate "mywildcardcert"
set ssl-dh-bits 2048
set ssl-min-version tls-1.0
set ssl-client-renegotiation secure
set ssl-client-session-state-type disable
next
end
Aside from the benefit in performance of SSL offload, the other obvious reason is to avoid having to maintain a certificate on several servers and update them each time they expire. You only need to update the certificate once, on the firewall or load balancer.
My setup looked roughly like this:
*Public addresses have been replaced by 192.0.2.1/20
The configuration I had was causing issues with Firefox and Chrome intermittently reporting an error due to Secure Connection Failed - SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET. This could be replicated in Firefox by holding CTRL and F5 - every second request would cause the error page below:
After some online research I found browsers in the last 9 months or so have started supporting EXTENDED_MASTER_SECRET [more on this here]
In order to resolve this on Fortinet FortiOS (atleast on 5.2.5) I have added the line in red below to my configuration which keep no SSL session states.
config firewall vip
edit "WAN1-192.0.2.2-HTTPS"
set type server-load-balance
set extip 192.0.2.2
set extintf "wan1"
set server-type https
set monitor "API-ContentCheck" "ping"
set persistence ssl-session-id
set extport 443
config realservers
edit 1
set ip 10.8.9.11
set port 80
next
edit 2
set ip 10.8.9.12
set port 80
next
edit 3
set ip 10.8.9.13
set port 80
next
edit 4
set ip 10.8.9.14
set port 80
next
end
set ssl-certificate "mywildcardcert"
set ssl-dh-bits 2048
set ssl-min-version tls-1.0
set ssl-client-renegotiation secure
set ssl-client-session-state-type disable
next
end
All ssl-client-session-state-type settings that can be configured are explained below: The default on 5.2.5 is 'both'
#set ssl-client-session-state-type {both | client | disable | time}
both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client- session-state-timeout is exceeded, regardless of which occurs first.
count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
disable: Select to keep no SSL session states.
time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.
More on Fortnet SSL/TLS load balancing here
both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client- session-state-timeout is exceeded, regardless of which occurs first.
count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
disable: Select to keep no SSL session states.
time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.
More on Fortnet SSL/TLS load balancing here
Upgrading to 5.2.8 and above introduces tls1.2 support
ReplyDelete