Forum Discussion

am_gli_287451's avatar
am_gli_287451
Icon for Nimbostratus rankNimbostratus
Dec 07, 2017

ssl_shim_vfycerterr:4539: application verification failure

Hi, after the Announcement regarding RSA vulnerability two weeks ago, we updated one of our BigIP from 11.5.3 to 12.1.2 HF2. We still have another F5 with 11.5.3 and the same application in place. ...
application delivery
client certificate
iRules
LTM
sha1
Andras_Kis-Szab's avatar
Andras_Kis-Szab
Icon for Nimbostratus rankNimbostratus

I assume that your client cert is not suitable for client authentication, that cert usage is missing from the cert. You might have a non-reputation only client cert.

 

am_gli's avatar
am_gli
Icon for Altostratus rankAltostratus
Aug 13, 2018

Thanks for the reply, the issue was resolved a few months ago but I forgot to update it here.

 

After some in-depth troubleshooting together with the support, we figured out that the issue was the "Signature Hash Algorithm".

 

In 11.5.3 the proposed algorithms were SHA1 (0x201-0x203) SHA2-256 (0x401-0x403) and SHA2-384 (0x501-503) - in that order. Browser accepted the first proposed one (SHA1) and proceeded properly to talk to the middleware and presented the client certificate.

 

With 12.1.2, the default list of the Algorithms changed - now SHA256/384/512 were all placed first and SHA1 came last. The browser negotiated SHA256 as the algorithm to use, talked to the middleware, but middleware said that this is not supported with the SHA-1 cards and didn't provide the certificate for the authentication.

 

Unfortunately neither the browser, nor the middleware came up with a proper error message...

 

After figuring that out, we manually forced SHA1 as the only algorithm to use, now it works with both smartcard types.