SSL Handshake failed - client certificate authentication and also without certificate

Hi,

Could you share configuration part of client ssl profile in bigip.conf ?

Janez, the clientssl profile would be very useful, as would be some clarifications on what you are trying to achieve. For example, are you looking for "client certificate authentication" if so have you configured the "client authentication" section of the clientssl profile? Does the application require the f5 to present a certificate to the application server, if so you'd need to add the Certificate in the "configuration" section. If the application needs to authenticate the client directly, then this setup might break that, and you would need to implement Proxy SSL. See ClientSSL Profile and ServerSSL Profile

Hello,

Proxy SSL is problem because customer use ECDHE or any ciphers with Perfect Forward Secrecy.

Here is client profile:

ltm profile client-ssl /Common/client-SSL {

  app-service none

  ca-file /Common/Cert.crt

  cert /Common/Cert.crt

  cert-key-chain {

    Cert_chain {

      cert /Common/Cert.crt

      chain /Common/Cert_CA.crt

      key /Cert-Key.key

    }

  }

  chain /Common/Common/Cert_CA.crt

  cipher-group none

  ciphers DEFAULT

  defaults-from /Common/clientssl

  inherit-certkeychain false

  key /Common/Cert-Key.key

  passphrase none

  peer-cert-mode request

  ssl-c3d enabled

}

And Server profile:

ltm profile server-ssl /Common/Server-SSL {

  app-service none

  c3d-ca-cert /Common/Cert.crt

  c3d-ca-key /Common/Cert-Key.key

  cert /Common/Cert.crt

  defaults-from /Common/serverssl

  key /Common/Cert-Key.key

  ssl-c3d enabled

Thanks and regards,

Janez