NimbostratusProblems implementing 2Way SSL
Hello everyone! I've been tasked to implement 2Way SSL on our F5 and running into a snag. I will try to explain the best that I can (I'm not an F5 expert...you know the drill).
I'm dealing with two certs (Client supplied and Site cert) and for testing this exercise I created an internal company cert to act as cert supplied by third party (Client cert).
I have an SSL Client profile created with the following: Site Cert (our site) + Chain (VeriSign) Client Authentication Enabled with Client Certificate = Required Frequency = Once Advertised Certificate Authorities = Certificate bundle with Client Cert, CA, and private key.
The SSL Server profile = ServerSSL
To test I loaded the client cert in my User personal store, and CA in Intermediate and Trusted store.
When I test in both Chrome and IE I connect to the site and then prompted for client certificate. Since I have Advertised configured I'm only prompted for the Client cert in the bundle which is expected. I select Client certificate and then receive SSL Connection Error - ERR_SSL_PROTOCOL_ERROR in Chrome, and in IE I receive an IE message that I need to enable TLS1.0, TLS1.1, TLS1.2. Odd.....
I ran several traces in WireShark and I can see the Client/Server handshakes on Site cert, and then Client cert but then receive HandshakeFailure (40). I also notice that the negotiation starts with TLS1.2 and then downgrades to TLS1.0, but still see the same HandshakeFailure for each protocol.
If I use Request on Client Authentication I'm prompted for cert and then allowed to continue to the site, but this is not the required behavior from vendor. I have to use required on Client certificate. I tried an iRule that I found but received Page Cannot be displayed.
Any help is appreciated. You know how 2Way SSL is....you read 5 or 6 articles and everyone seems to have their own spin on implementing ha.
