Forum Discussion

Janez's avatar
Janez
Icon for Nimbostratus rankNimbostratus
Jan 23, 2020

SSL Handshake failed - client certificate authentication and also without certificate

Hello,

 

I have question. We have plan to migrate web app which have 2 different type authentication. One is with without cerificate and secont autentication is with certificate. I did custom client SSL profile and work only for first solution (without certificate) and with certificate it doesn't works. For server certification I use default server profile (server ssl). I also try to use CCCD solution but I get error: SSL Handshake failed for TCP X.X.X.X:4589 -> VIP:443 and customer has also problem with client which didn't use client certificate for authentication. I use one VIP and one pool member.

 

Any idea?

 

Thanks,

 

Janez

3 Replies

  • Hi,

     

    Could you share configuration part of client ssl profile in bigip.conf ?

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Janez, the clientssl profile would be very useful, as would be some clarifications on what you are trying to achieve. For example, are you looking for "client certificate authentication" if so have you configured the "client authentication" section of the clientssl profile? Does the application require the f5 to present a certificate to the application server, if so you'd need to add the Certificate in the "configuration" section. If the application needs to authenticate the client directly, then this setup might break that, and you would need to implement Proxy SSL. See ClientSSL Profile and ServerSSL Profile

  • Janez's avatar
    Janez
    Icon for Nimbostratus rankNimbostratus

    Hello,

     

    Proxy SSL is problem because customer use ECDHE or any ciphers with Perfect Forward Secrecy.

     

    Here is client profile:

     

    ltm profile client-ssl /Common/client-SSL {

      app-service none

      ca-file /Common/Cert.crt

      cert /Common/Cert.crt

      cert-key-chain {

        Cert_chain {

          cert /Common/Cert.crt

          chain /Common/Cert_CA.crt

          key /Cert-Key.key

        }

      }

      chain /Common/Common/Cert_CA.crt

      cipher-group none

      ciphers DEFAULT

      defaults-from /Common/clientssl

      inherit-certkeychain false

      key /Common/Cert-Key.key

      passphrase none

      peer-cert-mode request

      ssl-c3d enabled

    }

     

    And Server profile:

     

    ltm profile server-ssl /Common/Server-SSL {

      app-service none

      c3d-ca-cert /Common/Cert.crt

      c3d-ca-key /Common/Cert-Key.key

      cert /Common/Cert.crt

      defaults-from /Common/serverssl

      key /Common/Cert-Key.key

      ssl-c3d enabled

     

    Thanks and regards,

    Janez