For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sheigh_65772's avatar
Sheigh_65772
Icon for Cirrus rankCirrus
Apr 28, 2015

Client x509 Incorrect Certificate Chain

Hello,

 

For our HTTPS services we require a certificate from the user. In some cases we are seeing that the user's browser is building an incorrect certificate chain which then results in a SSL::verify result code of 27. What have been doing so far to remedy this issue is to work with the users by first exporting, deleting, and then finally reimporting the certs that are causing the issue as 'Untrusted'.

 

Good certificate chain
----------------------
Correct Root CA 1
===> Correct Intermediate CA
=======> Correct Client Cert

Bad certificate chain
----------------------
Incorrect Root CA
===> Incorrect CA
======> Correct Root CA 1
=========> Correct Intermediate CA
============> Correct Client Cert

Is there a better way to do this? I don't currently have the Chain setting configured in the Client SSL profile though in some limited testing it didn't seem to fix the issue. We do have the Advertised Certificate Authorities set and the bundle doesn't include the offending certificates.

 

Thanks

 

application delivery
LTM
management
No RepliesBe the first to reply