For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohanad_313515's avatar
Mohanad_313515
Icon for Nimbostratus rankNimbostratus
Sep 23, 2018

SSL Handshake failed | client certificate authentication

Hi all   im trying to implement client certificate authentication for web service, but im getting some errors, However, it's working from browsers using the correct client certificate    ...
ASM Advanced WAF
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 23, 2018

The server is rejecting the connection right after the client sends its certificate, which implies that the server is rejecting the client's certificate. The most likely cause here, given that browsers work, is that your Staging_NPS_Root does not contain the full PKI trust chain. Browsers will usually work if they have all of the CAs in the chain because they'll send these CAs (except for the self-signed root) in the handshake. Your web services may not be doing this. You can tell for sure by doing an ssldump capture on the client side traffic:

ssldump -AdNn -i [client side VLAN] port 443

In browser traffic you'll see the client send the client cert and at least one subordinate CA cert. To fix then, you can either add the missing subordinates to the Trusted Certificate Authorities bundle file on the F5, or to the web services clients (if they support sending the subCAs).