Forum Discussion
masajjad
Jul 23, 2020Cirrus
I came across this https://mta.openssl.org/pipermail/openssl-users/2017-April/005683.html
> Secure Sockets Layer
> TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
> Content Type: Alert (21)
> Version: TLS 1.2 (0x0303)
> Length: 2
> Alert Message
> Level: Fatal (2)
> Description: Certificate Unknown (46)
Client objects to the server chain. Either does not trust the MiTM root CA, or
is unhappy about its encoding (assuming tshark is not generating an FP warning).
And here is the tcpdump analysis that highlights our situation.
- Bank-end sends Locally signed Cert to F5 Self IP. F5 likes it and we see Client Key Exchange.
- VS sends new 4096 bit key size client cert (signed by Entrust that signs current one as well) to back-end
- Back-end flags Alert Cert Unknown.