Forum Discussion

Cirrus

Jun 29, 2017

Need help with SSL handshake failure and client certificates

Hi, we are using a clientSSL-profile with client certificate set to require and also configured the trusted/allowed CA. When connecting to this VS with a valid client certificate we are ending up w...

Stefan_Klotz_85
Jun 30, 2017
Hi Ashwin,

thanks for your help, but we could solve the issue. It starts working after we configured the whole chain for the "Trusted Certificate Authorities"-option in the "Client Authentication"-section of the clientSSL-profile, where we initialy only configured the single issuer certificate from the client-certificate.

But what is still strange for us, as I already mentioned, in the other region it's still working with just the single issuer certificate (which I also thought that this is sufficient). Might this be related to some settings on the clientside? Not sure if it's important or relevant, but the client in our case is a CA API Gateway.

Thank you for some final hints!

Ciao Stefan :)

Ashwin_Venkat

Employee

Jun 30, 2017

Hello Stefan,

Is it possible to let us know what signature algorithm was used to sign the certificate that is assigned to the SSL profile? If its something other than RSA, DSA or ECDSA algorithm, then its unsupported and that could be one of the potential reason why we immediately send the fatal alert after presenting the certificate and the certificate request messages. If its something that's been signed with a signature algorithm like RSASSA-PSS (default one for certain/newer Microsoft PKIs from my experience), then its unsupported and that could result in behavior that you're observing.

If/when you confirm that you're using a certificate with one of those 3 signature algorithms, I'd recommend either turning on SSL debug logging (make sure to turn it off soon after gathering the troubleshooting info) or else looking at the fatal alert packet in the packet to see exactly what the fatal alert code it is that you are receiving will go a long way in helping us in understanding why the fatal alert is being sent by the F5.

I look forward to your response!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Need help with SSL handshake failure and client certificates

Recent Discussions

Problem with lets encrypt and redirect after update

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

Should config via cli rather than gui?

iRule for client certificate verification and inserting CN

ASM Sync Between 2 Data Centers

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

SSL Forward Proxy – Certificate Error Graceful Failure

BIG-IP Proxy SSL 12.1 Handshake Failure

Re: Management Certificate

SSL Profiles Part 1: Handshakes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS