Forum Discussion

Bryan_90908's avatar
Bryan_90908
Icon for Nimbostratus rankNimbostratus
Jan 21, 2011

Client Side SSL Authentication

Greetings all, I'm trying to add client side authentication to specific VIP on our bigip running 9.4.8 code. I have a server side wildcard certificate signed by digicert and the client side host certificate signed by verisign. When i disable "require client side cert and set to request, the transactions succeed. However when I enable "require client side cert" I get ssl negotiation issues. Openssl shows the following:

 

 

openssl s_client -connect host.myurl.com:443 -CAfile digicert-ca.crt -cert mycert.crt -key mycert.key -state -msg

 

 

 

SSL_connect:SSLv3 write client key exchange A

 

>>> TLS 1.0 Handshake [length 0106], CertificateVerify

 

0f 00 01 02 01 00 60 96 58 ad fb e2 5a b9 d1 6d

 

cf 96 98 3b c2 9b 66 59 ad 64 91 1e e2 ec f5 9f

 

ef 66 1b b5 7f 35 d3 0c 8f be f0 bd 4f 7f 20 08

 

fc 9e d5 2b 46 b3 f2 02 ef dc 7f b5 ae ee 97 bf

 

2d d5 72 4d 59 df 88 c9 1f 92 b2 49 db a1 21 37

 

7a 50 0a e4 b7 7a e6 76 f4 b2 e6 33 1e e7 74 8e

 

e8 24 f0 ab 5a 5b dc 2b d3 8a 8e 3b 2d 53 64 94

 

14 7f 52 2c 5c 33 5d a5 ff 21 58 f1 4c a2 6c 0c

 

47 b8 21 8f 89 fa ca 50 f3 cc b9 ea c1 a5 df ce

 

f7 67 fe 1c e0 01 15 8f 5f cc 46 41 e1 86 65 46

 

79 36 fd 4f eb bb d0 6b 34 36 2d f9 6a 42 6c 1a

 

27 57 59 b1 dd 02 91 8b 08 2b 65 dd b0 2d c4 88

 

bb 45 34 41 93 15 db 97 41 41 82 73 80 a6 4a 95

 

20 f4 5f dd a2 cf 4a 6e 47 79 46 e1 31 18 64 a3

 

7b 35 63 11 c6 0a 0e c5 46 92 12 9a cf 44 de 9b

 

8d ca 4b b5 b8 41 4c c9 34 91 01 21 c8 00 55 5c

 

7d d5 11 da b9 42

 

SSL_connect:SSLv3 write certificate verify A

 

>>> TLS 1.0 ChangeCipherSpec [length 0001]

 

01

 

SSL_connect:SSLv3 write change cipher spec A

 

>>> TLS 1.0 Handshake [length 0010], Finished

 

14 00 00 0c 3e d1 4a 70 5d 5e d8 1f 9c df 1b 4c

 

SSL_connect:SSLv3 write finished A

 

SSL_connect:SSLv3 flush data

 

SSL_connect:failed in SSLv3 read finished A

 

11373:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

 

 

 

Here is the config i have:

 

 

virtual SSL_host.myurl.com {

 

pool partnerservices-stg

 

destination 192.168.96.87:https

 

ip protocol tcp

 

rules SSL_Subject_Header_Insert

 

profiles

 

Header_Insert

 

myurl.com

 

tcp

 

}

 

 

profile clientssl myurl.com {

 

defaults from clientssl

 

key "wildcard-myurl.com-Jan-2014.key"

 

cert "wildcard-myurl.com-Jan-2014.crt"

 

chain "digicert-ca2.crt"

 

ca file "new-verisign-ca.crt"

 

crl file none

 

client cert ca "digicert-ca2.crt"

 

options none

 

peer cert mode require

 

 

 

 

Any help is greatly appreciated.

 

 

 

config
design

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 21, 2011
    It looks like you have the client SSL profile set correctly to use the wildcard-myurl.com cert to establish the SSL handshake and advertise the digicert CA cert for the client cert request.

     

     

    Can you run ssldump on LTM and check the output for more debug information?

     

     

    sol10209: Overview of packet tracing with the ssldump utility

     

    http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

     

     

    Aaron