Forum Discussion
Need help with SSL handshake failure and client certificates
- Jun 30, 2017
Hi Ashwin,
thanks for your help, but we could solve the issue. It starts working after we configured the whole chain for the "Trusted Certificate Authorities"-option in the "Client Authentication"-section of the clientSSL-profile, where we initialy only configured the single issuer certificate from the client-certificate.
But what is still strange for us, as I already mentioned, in the other region it's still working with just the single issuer certificate (which I also thought that this is sufficient). Might this be related to some settings on the clientside? Not sure if it's important or relevant, but the client in our case is a CA API Gateway.
Thank you for some final hints!
Ciao Stefan :)
Hello Stefan,
Is it possible to let us know what signature algorithm was used to sign the certificate that is assigned to the SSL profile? If its something other than RSA, DSA or ECDSA algorithm, then its unsupported and that could be one of the potential reason why we immediately send the fatal alert after presenting the certificate and the certificate request messages. If its something that's been signed with a signature algorithm like RSASSA-PSS (default one for certain/newer Microsoft PKIs from my experience), then its unsupported and that could result in behavior that you're observing.
If/when you confirm that you're using a certificate with one of those 3 signature algorithms, I'd recommend either turning on SSL debug logging (make sure to turn it off soon after gathering the troubleshooting info) or else looking at the fatal alert packet in the packet to see exactly what the fatal alert code it is that you are receiving will go a long way in helping us in understanding why the fatal alert is being sent by the F5.
I look forward to your response!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com