Client Cert Authentication Failure
Hello,
LTM with version 10.2.2 build 930.0. I am using a Client SSL profile with client authentication turned on to "require". The client has a cert that was signed by a CA I created and is installed in the ssl.crt folder on the LTM. I'm using the irule below to check CN and O of presented client cert.
when RULE_INIT {
set ::org "O= my company here"
}
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains $::CFA_devtst_auth_cn_list]) and ($subject_dn
contains $::org) } {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
This iRule seems to work perfectly. However from the logs below, please note the immediate Handshake failure at 11:10:10 (perhaps because the LTM is waiting for client cert to be offered?) and then the "unable to get local issuer certificate" error followed by Connection error of "ssl_shim_...." Right after that, the iRule confirms the O and CN values match. Any thoughts on why the LTM doesn't see the signing CA to validate the client cert?
Tue Oct 16 11:10:10 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47018
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260006 Peer cert verify error: unable to get local issuer certificate (depth 0; cert /C=US/ST=Virginia/L=Charlottesville/O=CFA Institute/OU=IT Operations/CN=cfa-devtst-auth.cfainstitute.org)
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: unable to get local issuer certificate (42)
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Received: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Accepted: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47185
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: application verification failure (42)
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47188