Forum Discussion
am_gli_287451
Nimbostratus
Nimbostratusssl_shim_vfycerterr:4539: application verification failure
Hi,
after the Announcement regarding RSA vulnerability two weeks ago, we updated one of our BigIP from 11.5.3 to 12.1.2 HF2. We still have another F5 with 11.5.3 and the same application in place. ...
Andras_Kis-SzabNimbostratus
NimbostratusI assume that your client cert is not suitable for client authentication, that cert usage is missing from the cert. You might have a non-reputation only client cert.
am_gliAltostratus
Thanks for the reply, the issue was resolved a few months ago but I forgot to update it here.
After some in-depth troubleshooting together with the support, we figured out that the issue was the "Signature Hash Algorithm".
In 11.5.3 the proposed algorithms were SHA1 (0x201-0x203) SHA2-256 (0x401-0x403) and SHA2-384 (0x501-503) - in that order. Browser accepted the first proposed one (SHA1) and proceeded properly to talk to the middleware and presented the client certificate.
With 12.1.2, the default list of the Algorithms changed - now SHA256/384/512 were all placed first and SHA1 came last. The browser negotiated SHA256 as the algorithm to use, talked to the middleware, but middleware said that this is not supported with the SHA-1 cards and didn't provide the certificate for the authentication.
Unfortunately neither the browser, nor the middleware came up with a proper error message...
After figuring that out, we manually forced SHA1 as the only algorithm to use, now it works with both smartcard types.
- Andras_Kis-Szab
Oh, this issue has a kb article since that. I'll try to downgrade as well. The default is still any at 13.1.