Forum Discussion
NimbostratusProblem with C3D - Client Certificate Constrained Delegation
Hi all,
We have been using C3D in a public facing web app several years now having no issues.
Clients use their certificates from many different CAs to login into the app and when somebody has a certificate from a different CA we add that CA to a list of trusted and allowed CAs that users can use certificates to log in form.
The internal CA that we use to forge client certificates and pass them to the node uses sha256RSA as sign algorithm and sha256 as hash signature algorithm.
We had to add a new allowed CA that client will use certificates to connect from but uses sha512ECDSA as sign algorithm and sha512 as hash signature algorithm and when someone uses a client certificate of this CA to try to connect to our application TLS connection breaks with "Alert (Level: Fatal, Description: Handshake Failure)"
¿Has anyone enncountered a similar issue?
Thank you.
1 Reply
- lnxgeek
MVP
I have a sneaking suspicion that it is related to the ECC nature of the CA. Historically Bigip's handles RSA much better than ECC.
I don't have any data to support this, so I would create a support ticket and get confirmation if this is supported or not.
