Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Nov 28, 2014

Client authentication require problem

Currently my client side profile is set to request. The certificate issue to me by CA XXX. CA XXX have a chain of three certificates 2 intermediate and 1 root certificate. I converted those 3 CA cert...
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 29, 2014

e.g.

 configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 3
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    ca-file chain.crt
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-certkeychain true
    peer-cert-mode require
}

 chain.crt

[root@ve11a:Active:In Sync] certificate_d  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' :Common:chain.crt_39032_1
---
subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com

 client certificate

[root@centos1 ca2013] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' certs/client2.crt
---
subject= /C=US/ST=WA/O=Acme/OU=IT/CN=client.acme.com
issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com

 test1 without client certificate

[root@centos1 ca2013] curl -Ik /">https://172.28.24.10//
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

 test2 with client certificate

[root@centos1 ca2013] curl -Ik /">https://172.28.24.10// --cert certs/client2.crt --key private/client2.key
HTTP/1.1 200 OK
Date: Sat, 29 Nov 2014 14:57:20 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT
ETag: "41879c-59-2a9c23c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 29, 2014
    ltm profile client-ssl Siebel-Client { app-service none authenticate once authenticate-depth 4 ca-file CHecking.crt cert Siebel-SSL-CA1.crt chain CHecking.crt client-cert-ca CHecking.crt crl-file none defaults-from clientssl key Siebel-SSL-CA1.key peer-cert-mode request retain-certificate true } This is my client side profile. If changed to require hand shake fails. Checking bundle contains 2 intermediate and 1 root certificate.