Exinda Network Orchestrator
4 Settings
|
481
before the server with the same IP and port number (but without an SNI) can be deleted.
2.
In the confirmation dialog, click
OK
. The server is deleted.
To troubleshoot a disabled SSL Acceleration Server
If the server is disabled, check the status message in the SSL Acceleration Servers list or Remote SSL Acceleration Servers
list. The list will provide feedback on why the server is disabled. Perhaps the certificate validation failed or the OCSP
validation failed.
To fix the problem, you can try relaxing the certificate validation a step at a time. For example, turn off OCSP validation
and see what happens. Then turn off or broaden the certification validation, such as using ANY, or ANY-CA and see what
happens. You can also use the openssl client to check the SSL handshake:
openssl s_client -state -msg -connection <ip:port> -ssl3 -showcerts
openssl s_client -connect <ip:host> -tls1 -showcerts -servername <server-name>
How SSL Protocol Acceleration Works
How SSL works
SSL is the standard protocol for establishing a secure encrypted link between a remote application server and the client
Web browser on the local user computer. The SSL protocol secures each session link by automatically establishing
connections on-demand using standards-based protocols, encryption techniques, and certificate exchange.
SSL encryption requires a certificate on the server to authenticate the identity of a server. A certificate is an electronic
confirmation that you, as the owner of a public key, are who you claim to be, and that you hold the private key
corresponding to the public key in the certificate.
You create this certificate by generating a certificate and sending a certificate signing request to a Certificate Authority
(CA) using your public key. The CA checks with a registration authority to verify your identity and then signs and returns
the certificate. You then upload the signed certificate and public key onto the server.
When a client browser visits a web site hosted on the server over HTTPS, the server offers the signed certificate and
public key. The client browser verifies that the certificate is valid for the site that is being visited and that it has not
expired. Then it will verify the chain of trust by looking at who has signed the certificate:
If the certificate is a root-certificate, it will compare it against the ones shipped with the OS or browser.
If it is a non-root-certificate, it will follow the chain of trust up each level until reaching a root-certificate.
Now the server has the private key and the client has the public key effectively creating a private encrypted tunnel that
allows them to appropriately communicate by encrypting and decrypting the traffic between them. When the session is
over, the connection is automatically terminated.
There are other certificate signing options
You can create a self-signed certificate, where the certificate has signed itself and therefore there is no chain of trust. The
browser will issue a warning, telling the user that the site certificate cannot be verified. To continue, the user will have to
confirm that they trust the site. When the browser visits this site again later, the warning will not be presented again
since the user has already confirmed their trust of the site. An alternate use case, is the company that created the self-
signed certificate can provide the certificate to the client users and tell them to load the certificate into their browsers.
This is equivalent to confirming trust when the warning is shown. Using self-signed certificates is reasonable in
situations where you want encryption but you do not need the third party verification, such as an internal system where
you want your internal users to have password protection, however as the clients and the server are behind a firewall so
you do not need the third party verification.
You can create your own self-signed CA certificate for signing other certificates. In this case, the certificates that your self-
signed CA certificate signs will have no chain of trust. Similar to self-signed certificates, using your own self-signed CA
Summary of Contents for EXNV-10063
Page 369: ...Exinda Network Orchestrator 4 Settings 369 ...
Page 411: ...Exinda Network Orchestrator 4 Settings 411 Screenshot 168 P2P OverflowVirtualCircuit ...
Page 420: ...Exinda Network Orchestrator 4 Settings 420 Screenshot 175 Students OverflowVirtualCircuit ...