Forum Discussion
NimbostratusClient Cert Authentication Failure
Hello,
LTM with version 10.2.2 build 930.0. I am using a Client SSL profile with client authentication turned on to "require". The client has a cert that was signed by a CA I created and is installed in the ssl.crt folder on the LTM. I'm using the irule below to check CN and O of presented client cert.
when RULE_INIT {
set ::org "O= my company here"
}
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains $::CFA_devtst_auth_cn_list]) and ($subject_dn
contains $::org) } {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
This iRule seems to work perfectly. However from the logs below, please note the immediate Handshake failure at 11:10:10 (perhaps because the LTM is waiting for client cert to be offered?) and then the "unable to get local issuer certificate" error followed by Connection error of "ssl_shim_...." Right after that, the iRule confirms the O and CN values match. Any thoughts on why the LTM doesn't see the signing CA to validate the client cert?
Tue Oct 16 11:10:10 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47018
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260006 Peer cert verify error: unable to get local issuer certificate (depth 0; cert /C=US/ST=Virginia/L=Charlottesville/O=CFA Institute/OU=IT Operations/CN=cfa-devtst-auth.cfainstitute.org)
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: unable to get local issuer certificate (42)
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Received: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Accepted: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47185
Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: application verification failure (42)
Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47188
5 Replies
What_Lies_Bene1Cirrostratus
Have you actually installed the CA certificate using the GUI: Local Traffic > SSL Certificates > Import
And then specified that certificate in the SSL Client Profiile Trusted Certificate Authorities drop down?
nvv_109301CA was not installed by GUI - crt and key files were laid down from command line ssh. They show up in the GUI but are they somehow not 'registered' with the LTM?- What_Lies_Bene1You might want to check the permissions on the files match those of the other files in those folders, just in case.
Have you specified that certificate in the SSL Client Profiile Trusted Certificate Authorities drop down? - nvv_109301You got it with the SSL Client Profile Trusted Cert Auth dropdown! Once I chose the CA in that box, it all worked. Since that entry isn't with the rest of the Client Authentication fields in the profile, it's sort of confusing as to why it would apply. Oh, well. Thank you for your insight.
- What_Lies_Bene1Glad it's working and you're welcome. For future reference, any SSL profile that relies on a CA that isn't public and well know will need the CA specifying. I used to get bitten by that all the time.
