Client cert for specific URIs: TLSv1.0 vs TLSv1.2

I can't tell for certain but what i do know is CLIENTSSL_HANDSHAKE is "Triggered when a client-side SSL handshake is completed". So, sounds like an issue with the initial handshake. Only advice is a tcpdump/ssldump to see if it gives you the clues you need.

@nathan: I agree with you. Using TLSv1.0 at the client site ssldump says after the cert provision ..... SSL handshake completed. Next is: CLIENTSSL_HANDSHAKE is fired up! Using TLSv1.2 ssldump tells us 'SSL handskake failed'. WHY???

can you post your ssldump output?

Meanwhile we compared the two ltm logs. 1st is the log where the client (IE 11) is offering TLSv1.0. Everything is working fine ie accessing the protected /Docs page requires the client's cert as stated in our iRule: ... ... Rule /Common/irule__uris : HTTP_REQUEST:START /Docs Rule /Common/irule__uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule__uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule__uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule__uris : PROTECTED: START /Docs Rule /Common/irule__uris : Certificate Protectd Cert Count: 0 Rule /Common/irule__uris : Certificate Protectd Cert Mode: ignore Rule /Common/irule__uris : PROTECTED: CERT COUNT 0: START Renegotiation for uri /Docs Rule /Common/irule__uris : Content Length: Rule /Common/irule__uris : PROTECTED: renegotiated Cert Count: 0 Rule /Common/irule__uris : PROTECTED: renegotiated Cert Result: 0 Rule /Common/irule__uris : SSL Handshake completed Rule /Common/irule__uris : Cert Count: 2 **************************************************************************** Rule /Common/irule__uris : Certificate Mode: require **************************************************************************** Rule /Common/irule__uris : SSL::authenticate require detected Rule /Common/irule__uris : HTTP::release Rule /Common/irule__uris : xxx.xxx.xxx.xxx:55776: cert 0; subject=CN=xxx xxx,OU=End Users,OU=xxx,O=xxxxxxx; CN=xxx SubCA-001,OU=PKI Components,OU=xxx,O=xxxxxxxx;cert_serial=77:27:d5:a1:42:a1:74:48:54:11:91:22:49:db:d6:db; Rule /Common/irule__uris : xxx.xxx.xxx.xxx:55776: cert 1; subject=CN=xxx SubCA-001,OU=PKI Components,OU=xxx,O=xxx; CN=xxxx RootCA,OU=PKI Components,OU=xxx,O=xxx;cert_serial=67:60:b9:ff:f5:f1:6b:c1:53:32:c7:47:50:75:24:b0; Rule /Common/irule_uris : HTTP_REQUEST:START /Docs/default.aspx Rule /Common/irule_uris : HTTP_REQUEST:START /Docs/default.aspx Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : PROTECTED: START /Docs/default.aspx Rule /Common/irule_uris : Certificate Protectd Cert Count: 2 Rule /Common/irule_uris : Certificate Protectd Cert Mode: require Rule /Common/irule_uris : PROTECTED: CERT-SUCCESS: Client certificate provided, cert count: 2 Rule /Common/irule_ader : Replace host header to xxx.xxx.xxx.xxx Rule /Common/irule_uris : HTTP_REQUEST:START /SiteAssets/EMIS-LOGO-04.png Rule /Common/irule_uris : HTTP_REQUEST:START /SiteAssets/EMIS-LOGO-04.png Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : UNPROTECTED: Certificate Unprotected URI: /SiteAssets/EMIS-LOGO-04.png .... 2nd is the log where the client (IE 11) is offering TLSv1.2. By accessing the protected /Docs page there is no 'Certificate Mode: require' entry as expected by the iRule. Therefore the SSL handshake fails: .... .... Rule /Common/irule_uris : HTTP_REQUEST:START /Docs Rule /Common/irule_uris : HTTP_REQUEST:START /Docs Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1.2 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : PROTECTED: START /Docs Rule /Common/irule_uris : Certificate Protectd Cert Count: 0 Rule /Common/irule_uris : Certificate Protectd Cert Mode: ignore Rule /Common/irule_uris : PROTECTED: CERT COUNT 0: START Renegotiation for uri /Docs Rule /Common/irule_uris : Content Length: Rule /Common/irule_uris : PROTECTED: renegotiated Cert Count: 0 Rule /Common/irule_uris : PROTECTED: renegotiated Cert Result: 0 info tmm[8912]: 01260013:6: SSL Handshake failed for TCP from xxx.xxx.xxx.xxx:55817 to xxx.xxx.xxx.xxx:443 Any idea why?

not sure from that output. try "ssldump -Aed -nni 0.0" and posting that back

@nathan 1. ssldump output is very long Is there any possibility to upload it as a file? 2. Could it be a Microsoft issue with TLSv1.2? What happened is that after accessing the protected URI a certificate window pops up at our Win7 client and after the acknowledgement IE 11 closed immedialetly the session with "Site could not be accessed". With TLSv1.0 the sequence is like this: - access to the protected URI - certificate window pops up - acknowledgement - WE WERE ASK FOR THE CERT'S PASSWORD - IE11 has access Regards, Rainer

Yes, i wonder if it's MS issue. See https://issues.apache.org/bugzilla/show_bug.cgi?id=56061. Have you tried Chrome or Firefox instead of IE11?

1. How can I upload the ssldump file 2. We are using IIS 7, Firefox is showing the same result

These are the last ssldump lines immediately after the client's attempt to access the protected URI: ... New TCP connection 5: xxxx(55847) <-> yyyy(443) 5 1 1412679149.7406 (0.0041) C>SV3.3(193) Handshake ClientHello Version 3.3 random[32]= 54 33 c6 a0 2a 0a 52 ff 13 24 09 74 b5 95 17 88 68 75 bf 50 24 7f c5 89 71 ce 62 c9 51 7c 19 be resume [32]= 0c b7 1f 97 75 da db 2c 08 55 48 df 89 a1 7d 4a 82 4d 06 98 66 b7 b5 13 45 6a f7 4b f7 0a c6 60 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 compression methods NULL 5 2 1412679149.7409 (0.0003) S>CV3.3(85) Handshake ServerHello Version 3.3 random[32]= a7 1c 85 1c 2e 7e e6 ae 55 03 6e 2c 7b 5e d3 c4 fb 2c ee 93 60 de 5f ef 42 6f e2 49 f4 5c 9c 97 session_id[32]= 0c b7 1f 97 75 da db 38 08 55 48 df 89 a1 7c 4a d5 b3 7b 29 31 49 cb 85 45 6a f7 4b f7 0a c6 61 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL 5 3 1412679149.7409 (0.0000) S>CV3.3(1357) Handshake Certificate 5 4 1412679149.7409 (0.0000) S>CV3.3(4) Handshake ServerHelloDone