Forum Discussion
Emad
Cirrostratus
CirrostratusDebug SSL communication
I am trying to debug a mutual authentication issue. Is there any way i can get complete SSL client certificate used during ssl communication. I tried to use following irule but it does not work in case of wrong client certificate.
Iule:
ltm rule log_mutual_auth {
when CLIENTSSL_CLIENTCERT {
log local0. "Issuer Info: [X509::issuer [SSL::cert 0]] , Certificate Info: [X509::subject [SSL::cert 0]]"
}
}
Error in LTM logs:
Dec ltm01 err tmm[16373]: 01220001:3: TCL error: /Common/log_mutual_auth - Error using (line 3) invoked from within "X509::issuer [SSL::cert 0]"
Hi Emad,
When you run ssldump when the client connects, do you see the client presenting a client certificate?
Cheers,
Kees
EmadI think yes, Server Hello is completed and when client tries for keyexchage, LTM send RST. FYI!
New TCP connection 7: x.x.x.43(37045) <-> x.x.x.19(xxxx) 7 1 1481517481.9937 (0.1794) C>SV3.1(69) Handshake ClientHello Version 3.1 random[32]= 58 4e 29 a9 61 6b ab dc ef 7e bb f6 ac 58 6e 27 9d 27 66 4f c7 4a 19 5d b7 9b 02 a6 77 98 b0 55 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Unknown value 0xff compression methods NULL 7 2 1481517481.9938 (0.0000) S>CV3.1(49) Handshake ServerHello Version 3.1 random[32]= 35 65 e5 d0 78 8f 4c 61 f7 72 0b f9 51 47 8c b3 df 14 e2 b4 32 68 1d 67 3a d4 99 ed 23 9e bf 7d session_id[0]= cipherSuite TLS_RSA_WITH_AES_128_CBC_SHA compressionMethod NULL 7 3 1481517481.9938 (0.0000) S>CV3.1(2402) Handshake Certificate 7 4 1481517481.9938 (0.0000) S>CV3.1(221) Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_types unknown value certificate_authority 30 68 31 15 30 13 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 05 6c 6f 63 61 6c 31 16 30 14 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 06 61 70 74 65 73 74 31 18 30 16 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 08 63 6f 72 70 74 65 73 74 31 1d 30 1b 06 03 55 04 03 13 14 41 50 20 54 65 73 74 20 49 73 73 75 69 6e 67 20 43 41 20 31 certificate_authority 30 63 31 15 30 13 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 05 6c 6f 63 61 6c 31 16 30 14 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 06 61 70 74 65 73 74 31 18 30 16 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 08 63 6f 72 70 74 65 73 74 31 18 30 16 06 03 55 04 03 13 0f 41 50 20 54 65 73 74 20 52 6f 6f 74 20 43 41 7 5 1481517481.9938 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 7 6 1481517482.1804 (0.1866) C>SV3.1(269) Handshake Certificate ClientKeyExchange EncryptedPreMasterSecret[256]= 67 7d be a5 7a 67 f7 ec e6 80 cc cb e0 5b cc 55 a1 9d 0a ee b1 7d c6 d3 35 03 34 20 a9 a3 f3 4a e3 64 d7 94 aa 78 a9 18 b4 6e e7 d7 b3 28 8d ce c3 f3 96 39 37 ac 84 5a 9e d6 9f 3d c1 a6 bc 96 31 90 51 04 3e 32 f3 a0 e0 c9 01 82 81 dd b3 5a eb 28 60 71 20 b0 6b 4a 5c c7 10 51 6c aa 4a 80 75 af 6b f0 cd 33 ee f1 e1 b8 b0 dc 34 31 29 a0 95 c5 5c c8 1f c0 4a a5 a2 2d 5d 1f 36 2f 26 e6 c5 3f e1 8a df ed 18 37 b4 3e e5 ad 5c cd 6f 6a 8e e5 cb a8 47 7d 34 19 f6 05 0f f9 e3 34 3e 6e c2 43 1f 2a b1 54 45 d9 c6 b7 92 81 42 69 5b ce 37 23 5c 1e 80 26 0f 4b 16 b7 0a c3 1a 70 48 db fa 5a 56 c1 76 7f 96 85 6f 14 b5 e6 f3 a7 a6 ac f0 d0 ba 07 78 32 ef 7f 6e ee ca d4 fe 40 8f c6 9b 32 9f f2 bc 2a 52 28 9d 64 8b 9b f1 75 28 13 b8 89 3e ad 87 1a 3c 2e 92 7f df a8 62 22 43 5e 7 7 1481517482.1805 (0.0001) S>CV3.1(2) Alert level fatal value handshake_failure 7 1481517482.1805 (0.0000) S>C TCP RSTCould you change the log level of SSL to debug and check /var/log/ltm for errors?
- Emad
Yes already did that during debugging.
Dec ltm01 debug tmm[16373]: 01260009:7: Connection error: ssl_shim_vfycerterr:3756: unsupported certificate purpose (46) Dec ltm01 info tmm[16373]: 01260013:6: SSL Handshake failed for TCP x.x.x.153%1:56352 -> x.x.x.%1:443 Dec ltm01 debug tmm1[16373]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /C=US/ST=AA/L=California/O=Test ORG/OU=software IT/CN=test.local) When you open the crt file of your client certificate (test.local) using a text editor you will see a section like:
X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment- Emad
It does not contain any of this information. However i have checked its purpose by.
root@testsrv13:/export/home/emad/cert_verify openssl verify -purpose sslclient -CAfile CA_cert.cer client_cert.cer client_cert.cer: OK root@testsrv13:/export/home/emad/cert_verify openssl verify -purpose sslserver -CAfile CA_cert.cer client_cert.cer client_cert.cer: OK - Emad
What is recommended in that case.
TLS Web server authentication Or TLS Web client authentication It should contain at least TLS Web client authentication
But the error is on your test.local certificate. Can you post the output of openssl verify test.local cert?
- Emad
bash openssl verify client_cert.cer
client_new.cer: C = US, ST = AA, L = California, O = Test, OU = software, CN = test.local
error 20 at 0 depth lookup:unable to get local issuer certificate
