Forum Discussion

Netztester's avatar
Netztester
Icon for Nimbostratus rankNimbostratus
Dec 09, 2016

SSL Client Auth fails after first wrong Issuer - doesnt test following Issuers

Hi,

i have a problem with client certificate authentication. I think i found the problem, but still miss the answer. The situation is, there is a semi-public Trustcenter and i need to allow only clients with a valid client certificate. So i bundled all the Root and Intermediate Certificates into a chain file. But tests showed only ssl handshake failures :

Dec  9 10:25:23 f5-111 info tmm1[15991]: 01260013:6: SSL Handshake failed for TCP 10.40.1.83:40652 -> 10.30.1.213:443
Dec  9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: ok (depth 1; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber)
Dec  9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: ok (depth 1; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber)
Dec  9 10:25:24 f5-111 debug tmm1[15991]: 01260006:7: Peer cert verify error: certificate signature failure (depth 0; cert /C=DE/O=ITSG TrustCenter fuer Arbeitgeber/OU=Deutsche Rentenversicherung Bund/OU=BN66667777/CN=Tino Pfeil)
Dec  9 10:25:24 f5-111 debug tmm1[15991]: 01260009:7: Connection error: ssl_shim_vfycerterr:4249: certificate signature failure (42)
Dec  9 10:25:24 f5-111 info tmm1[15991]: 01260013:6: SSL Handshake failed for TCP 10.40.1.83:34058 -> 10.30.1.213:443

I tried it with openssl verify and got this error:

error 7 at 0 depth lookup:certificate signature failure
46953852812416:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:102:
46953852812416:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:944:
46953852812416:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:233:

The problem is, i think, that there are 3 root certificates and multiple intermediate certs with the same name and hash but different serials. If i change order, so that the real issuer of the client is the first certificate, openssl verify gives "ok". When i put another intermediate with the same hash before the real issuer in the file, i get this error. So it seems verify process fails because openssl checks the digital signature of the first matching issuer (by issuer_hash), and if it fails the process stops without checking if there might be another issuer with a valid digital signature.. So how can i let the F5 check if any of the included intermediate certs is a valid one, and don't let the process fail after the first wrong.

I found a KB which could be the right one for my problem, but i need a downtime to update, currently installed 11.6.0 HF8.

certificate authentication
client certificate
devops
LTM
security
No RepliesBe the first to reply