Forum Discussion

mohit29388_1794's avatar
mohit29388_1794
Icon for Nimbostratus rankNimbostratus
Jul 12, 2016

Not able to connect 2 way SSL from application server to f5

From my application server , for client side connections towards my f5 i am trying to establish a 2 way ssl , but am not able to connect

 

[client server ~] openssl s_client -connect f5.c1.com.gn:9010 CONNECTED(00000003) depth=0 C = GN, O = MTN, CN = f5.Cust1.com.gn

 

verify error:num=20:unable to get local issuer certificate

 

verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=27:certificate not trusted

 

verify return:1 depth=0 C = GN, O = CUST1, CN = f5.Cust1.com.gn verify error:num=21:unable to verify the first certificate

 

verify return:1

Certificate chain 0 s:/C=GN/O=CUST1/CN=f5.Cust1.com.gn

 

i:/CN=m3-internal-ca-guina

Server certificate -----BEGIN CERTIFICATE-----

 

-----END CERTIFICATE----- subject=/C=GN/O=CUST1/CN=f5.Cust1.com.gn

 

issuer=/CN=m3-internal-ca-guina No client certificate CA names sent SSL handshake has read 1263 bytes and written 621 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: E712FFC846A4669E74AC3793C2A0E3E41714CE2DB06FEF08CD90D81A210F0593 Session-ID-ctx: Master-Key: 12F2D283B35FD56F25EA30CED9239BAA5155C692024DCA9C1E3400539D123637 8921C39456C9DBD399B3D99444497465 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1468237189 Timeout : 300 (sec)

 

Verify return code: 21 (unable to verify the first certificate)

read:errno=0

 

along with this iam getting following error on server :

 

https://f5.cust1.com.gn:9010/********: peer not authenticated

 

  • my F5

     

    Sys::Version Main Package Product BIG-IP Version 11.5.4 Build 0.56.256 Edition Engineering Hotfix Date Fri Mar 25 14:46:24 PDT 2016

     

    one doubt which I have :

     

    on F5 chippers is selected as default

     

    while at my application server end

     

    TLSv1/SSLv3, Cipher is AES256-SHA256

     

  • Part of the error message is that you're not defining a CA cert (or trust bundle) in your OpenSSL command so the client side is unable to validate/trust the server certificate. But when you say 2-way SSL, are you talking about using a client certificate as well?

     

  • Hello,

     

    I am trying to establish 2 way ssl on my client server with f5 I created a cert for F5 > associated it with profile and VS

     

    and similar way I created client cert. for server as well in configured it to present for ssl handshake

     

    but im getting errors:

     

    peer not authenticated ssl handshake failure

     

    above is O/P from my client server which I try ssl connection towards F5

     

    ~] openssl s_client -connect f5.c1.com.gn:9010

     

  • I am trying to establish 2 way ssl on my client server with f5

     

    I created a cert for F5 > associated it with profile and VS

     

    Please confirm that you mean that you're trying to do SSL mutual authentication with server AND client certificates.

     

    peer not authenticated

     

    ssl handshake failure

     

    As I mentioned before, part of the error is that you're not providing a way in your openssl command to validate the server's certificate. You need to define a CA certificate, or certificate bundle. If you are doing mutual SSL authentication, then you're also not providing the client cert as part of that openssl command.

     

  • Please confirm that you mean that you're trying to do SSL mutual authentication with server AND client certificates.

     

    yes you are correct .

     

    can you help me with correct command syntax