Forum Discussion
Same problem here. On-Demand Certificate Authentication no longer works with latest Chrome or Firefox. With Chrome, problem started after updating to version 33.0.1750.117. I think the security fix CVE-2013-6659 is the root cause to this problem:
"The SSLClientSocketNSS::Core::OwnAuthCertHandler function in net/socket/ssl_client_socket_nss.cc in Google Chrome before 33.0.1750.117 does not prevent changes to server X.509 certificates during renegotiations, which allows remote SSL servers to trigger use of a new certificate chain, inconsistent with the user's expectations, by initiating a TLS renegotiation."
That's exactly what's happening here with the Virtual Server that has certificate from public CA and Trusted Root chain from private CA for Client Certificate Authentication.
At least it definitely has something to do with TLS1.2 because disabling it in the ClientSSL profile "fixes" the problem. Any help?