Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module Release Notes
7
Release Notes for Catalyst 6500 Series Switch SSL Services Module Software Release 2.x
OL-5277-13
Limitations and Restrictions
•
New CLI command min-chain-length is added in SSL software release 2.1(12). (CSCsl42088)
When a trustpoint is associated with an SSL-proxy service, it is subjected to several validity checks.
One such check requires that the trustpoints on the SSLM can be chained together to form a full
certificate chain that terminates with a self-signed root CA certificate. The new crypto pki
trustpoint subcommand min-chain-length allows this requirement to be modified. The default
value of min-chain-length is zero, which means that a full certificate chain must be present. If
min-chain-length is set to a nonzero value, the check passes if the chain either terminates in a root
CA certificate or if the number of certificates in the chain is at least the min-chain-length value.
One such check requires that the trustpoints on the SSLM can be chained together to form a full
certificate chain that terminates with a self-signed root CA certificate. The new crypto pki
trustpoint subcommand min-chain-length allows this requirement to be modified. The default
value of min-chain-length is zero, which means that a full certificate chain must be present. If
min-chain-length is set to a nonzero value, the check passes if the chain either terminates in a root
CA certificate or if the number of certificates in the chain is at least the min-chain-length value.
The min-chain-length option was introduced because an HTTPS server does not need to present a
full certificate chain to a browser, because the browser can complete the chain using its preinstalled
root CA certificates. In fact, it may be desirable for the server to present a partial certificate chain
to support a range of browsers with varied root CA certificates. If the browser has a root CA
certificate that can be used to complete the certificate chain, the server’s certificate will be accepted.
full certificate chain to a browser, because the browser can complete the chain using its preinstalled
root CA certificates. In fact, it may be desirable for the server to present a partial certificate chain
to support a range of browsers with varied root CA certificates. If the browser has a root CA
certificate that can be used to complete the certificate chain, the server’s certificate will be accepted.
This command affects the checking process only at the time that the trustpoint is associated with the
service. After making a change to the min-chain-length value, you should disassociate the
trustpoint from the service, and then reassociate it.
service. After making a change to the min-chain-length value, you should disassociate the
trustpoint from the service, and then reassociate it.
Following is an example of the min-chain-length command:
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint server1
Router(ca-trustpoint)# min-chain-length 3
Limitations and Restrictions
This section describes general limitations and restrictions for all 2.1(x) software releases:
•
You can install a maximum of four SSL Services Modules in a chassis.
•
Although Cisco IOS Release 12.1(13)E and later releases support 4096 VLANs, the SSL software
supports only the normal-range VLANs (2 through 1005). Limit the SSL Services Module
configuration to the normal-range VLANs.
supports only the normal-range VLANs (2 through 1005). Limit the SSL Services Module
configuration to the normal-range VLANs.
•
The SSL software does not monitor the health of the real (HTTP) servers. If a real server goes into
a down state, the system shows that the service status is up until the Cisco IOS software retries and
fails ARP after the default timeout period.
a down state, the system shows that the service status is up until the Cisco IOS software retries and
fails ARP after the default timeout period.
Workaround 1: If you know that the HTTP server is down, enter the no inservice command for the
corresponding SSL proxy service.
corresponding SSL proxy service.
Workaround 2: If you are using the SSL Services Module with a Content Switching Module
(CSM), configure health monitoring on the CSM. (CSCdy83210)
(CSM), configure health monitoring on the CSM. (CSCdy83210)
•
The client (SSL) and server (HTTP) connections that were bound during data transfer show up as
four connections in the TCP connection table if both connections are in TIME_WAIT state.
(CSCdy69930)
four connections in the TCP connection table if both connections are in TIME_WAIT state.
(CSCdy69930)
•
With an open TCP connection, when the associated SSL proxy service is deleted and configured
again using the same name, the association between the SSL proxy service and the previous open
TCP connection is lost. When you delete and create the same SSL proxy service, a new service ID
for the same service name is created. (CSCdy68548)
again using the same name, the association between the SSL proxy service and the previous open
TCP connection is lost. When you delete and create the same SSL proxy service, a new service ID
for the same service name is created. (CSCdy68548)
•
When you configure private VLANs, the SSL Services Module VLAN must be different from the
primary or secondary VLAN on the client or server. If the SSL Services Module VLAN is the same
as the primary or secondary VLAN on the client or server, the SSL interface may drop the traffic
coming from the private VLAN. (CSCdy86258)
primary or secondary VLAN on the client or server. If the SSL Services Module VLAN is the same
as the primary or secondary VLAN on the client or server, the SSL interface may drop the traffic
coming from the private VLAN. (CSCdy86258)