Forum Discussion
Bryan_90908
Jan 21, 2011Nimbostratus
Client Side SSL Authentication
Greetings all, I'm trying to add client side authentication to specific VIP on our bigip running 9.4.8 code. I have a server side wildcard certificate signed by digicert and the client side host certificate signed by verisign. When i disable "require client side cert and set to request, the transactions succeed. However when I enable "require client side cert" I get ssl negotiation issues. Openssl shows the following:
openssl s_client -connect host.myurl.com:443 -CAfile digicert-ca.crt -cert mycert.crt -key mycert.key -state -msg
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 Handshake [length 0106], CertificateVerify
0f 00 01 02 01 00 60 96 58 ad fb e2 5a b9 d1 6d
cf 96 98 3b c2 9b 66 59 ad 64 91 1e e2 ec f5 9f
ef 66 1b b5 7f 35 d3 0c 8f be f0 bd 4f 7f 20 08
fc 9e d5 2b 46 b3 f2 02 ef dc 7f b5 ae ee 97 bf
2d d5 72 4d 59 df 88 c9 1f 92 b2 49 db a1 21 37
7a 50 0a e4 b7 7a e6 76 f4 b2 e6 33 1e e7 74 8e
e8 24 f0 ab 5a 5b dc 2b d3 8a 8e 3b 2d 53 64 94
14 7f 52 2c 5c 33 5d a5 ff 21 58 f1 4c a2 6c 0c
47 b8 21 8f 89 fa ca 50 f3 cc b9 ea c1 a5 df ce
f7 67 fe 1c e0 01 15 8f 5f cc 46 41 e1 86 65 46
79 36 fd 4f eb bb d0 6b 34 36 2d f9 6a 42 6c 1a
27 57 59 b1 dd 02 91 8b 08 2b 65 dd b0 2d c4 88
bb 45 34 41 93 15 db 97 41 41 82 73 80 a6 4a 95
20 f4 5f dd a2 cf 4a 6e 47 79 46 e1 31 18 64 a3
7b 35 63 11 c6 0a 0e c5 46 92 12 9a cf 44 de 9b
8d ca 4b b5 b8 41 4c c9 34 91 01 21 c8 00 55 5c
7d d5 11 da b9 42
SSL_connect:SSLv3 write certificate verify A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c 3e d1 4a 70 5d 5e d8 1f 9c df 1b 4c
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
11373:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Here is the config i have:
virtual SSL_host.myurl.com {
pool partnerservices-stg
destination 192.168.96.87:https
ip protocol tcp
rules SSL_Subject_Header_Insert
profiles
Header_Insert
myurl.com
tcp
}
profile clientssl myurl.com {
defaults from clientssl
key "wildcard-myurl.com-Jan-2014.key"
cert "wildcard-myurl.com-Jan-2014.crt"
chain "digicert-ca2.crt"
ca file "new-verisign-ca.crt"
crl file none
client cert ca "digicert-ca2.crt"
options none
peer cert mode require
Any help is greatly appreciated.
- hooleylistCirrostratusIt looks like you have the client SSL profile set correctly to use the wildcard-myurl.com cert to establish the SSL handshake and advertise the digicert CA cert for the client cert request.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects