Forum Discussion
NimbostratusIssue when setting up two way SSL authentication
Hello -
Having an issue setting up an LTM to use two way SSL authentication. The LTM is configured to require a client certificate; the certificate chain of intermediate CAs has been configured as well as trusted CA. The connection is failing for the client and the backend pool members. A wireshark trace shows the following twoward the end:
Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished TLSv1132Change Cipher Spec, Finished
The subsequent "Client Hello" fails . The F5 returns the following:
Content Type: 21) Version: TLS 1.0 (0x0301) Length (24) . . . Description: Handshake Failure (40)
I created an irule to look at the authentication process. The output of which is:
Rule /Common/ssg_debug_rule : Client Accepted Client IP- xxx.xxx.xxx.xxx ; Rule /Common/ssg_debug_rule : Client Hello Started ; Rule /Common/ssg_debug_rule : Client IP - xxx.xxx.xxx.xxx ; Rule /Common/ssg_debug_rule : Cert Error - ok ; Rule /Common/ssg_debug_rule : Cert Subject- CN="Correct Name" ; Rule /Common/ssg_debug_rule : Client SSL Handshake Client IP - xxx.xxx.xxx.xxx ;
What is going on ? I'm not sure how to debug this. I'm not certain was to what is failing . Any help is appreciated.
Thanks -jim
2 Replies
- Kevin_Stewart
Employee
Are you requesting or requiring a client certificate?
David_StoutAlso try checking the cert purpose using this command
openssl x509 -text -noout -purpose -in /config/ssl/ssl.crt/
You'll need to see the client and server purpose as "yes" to perform two-way mutual auth.
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
