Forum Discussion
mohit29388_1794
Nimbostratus
NimbostratusNot able to connect 2 way SSL from application server to f5
From my application server , for client side connections towards my f5 i am trying to establish a 2 way ssl , but am not able to connect
[client server ~] openssl s_client -connect f5.c1.com.gn:9010 CONNECTED(00000003) depth=0 C = GN, O = MTN, CN = f5.Cust1.com.gn
verify error:num=20:unable to get local issuer certificate
verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=27:certificate not trusted
verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain 0 s:/C=GN/O=CUST1/CN=f5.Cust1.com.gn
i:/CN=m3-internal-ca-guina
Server certificate -----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- subject=/C=GN/O=CUST1/CN=f5.Cust1.com.gn
issuer=/CN=m3-internal-ca-guina No client certificate CA names sent SSL handshake has read 1263 bytes and written 621 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: E712FFC846A4669E74AC3793C2A0E3E41714CE2DB06FEF08CD90D81A210F0593 Session-ID-ctx: Master-Key: 12F2D283B35FD56F25EA30CED9239BAA5155C692024DCA9C1E3400539D123637 8921C39456C9DBD399B3D99444497465 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1468237189 Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
read:errno=0
along with this iam getting following error on server :
https://f5.cust1.com.gn:9010/********: peer not authenticated
mohit29388_1794my F5
Sys::Version Main Package Product BIG-IP Version 11.5.4 Build 0.56.256 Edition Engineering Hotfix Date Fri Mar 25 14:46:24 PDT 2016
one doubt which I have :
on F5 chippers is selected as default
while at my application server end
TLSv1/SSLv3, Cipher is AES256-SHA256
- Kevin_Stewart
Employee
Part of the error message is that you're not defining a CA cert (or trust bundle) in your OpenSSL command so the client side is unable to validate/trust the server certificate. But when you say 2-way SSL, are you talking about using a client certificate as well?
- mohit29388_1794
Hello,
I am trying to establish 2 way ssl on my client server with f5 I created a cert for F5 > associated it with profile and VS
and similar way I created client cert. for server as well in configured it to present for ssl handshake
but im getting errors:
peer not authenticated ssl handshake failure
above is O/P from my client server which I try ssl connection towards F5
~] openssl s_client -connect f5.c1.com.gn:9010
- Kevin_Stewart
I am trying to establish 2 way ssl on my client server with f5
I created a cert for F5 > associated it with profile and VS
Please confirm that you mean that you're trying to do SSL mutual authentication with server AND client certificates.
peer not authenticated
ssl handshake failure
As I mentioned before, part of the error is that you're not providing a way in your openssl command to validate the server's certificate. You need to define a CA certificate, or certificate bundle. If you are doing mutual SSL authentication, then you're also not providing the client cert as part of that openssl command.
- mohit29388_1794
Please confirm that you mean that you're trying to do SSL mutual authentication with server AND client certificates.
yes you are correct .
can you help me with correct command syntax
