Forum Discussion
ssl_shim_vfycerterr:4539: application verification failure
I assume that your client cert is not suitable for client authentication, that cert usage is missing from the cert. You might have a non-reputation only client cert.
- am_gliAug 13, 2018Altostratus
Thanks for the reply, the issue was resolved a few months ago but I forgot to update it here.
After some in-depth troubleshooting together with the support, we figured out that the issue was the "Signature Hash Algorithm".
In 11.5.3 the proposed algorithms were SHA1 (0x201-0x203) SHA2-256 (0x401-0x403) and SHA2-384 (0x501-503) - in that order. Browser accepted the first proposed one (SHA1) and proceeded properly to talk to the middleware and presented the client certificate.
With 12.1.2, the default list of the Algorithms changed - now SHA256/384/512 were all placed first and SHA1 came last. The browser negotiated SHA256 as the algorithm to use, talked to the middleware, but middleware said that this is not supported with the SHA-1 cards and didn't provide the certificate for the authentication.
Unfortunately neither the browser, nor the middleware came up with a proper error message...
After figuring that out, we manually forced SHA1 as the only algorithm to use, now it works with both smartcard types.
- Andras_Kis-Sza1Aug 13, 2018Nimbostratus
Oh, this issue has a kb article since that. I'll try to downgrade as well. The default is still any at 13.1.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com