Xavier_Gillmann
Sep 15, 2005Nimbostratus
Certs chains and authenticate depth...
Hi everybody,
I'm currently encountering problems with (client) certificate validation: when the client registers all certificate chain in its browser, this one (at least IE) submits all the chain when negociating with BigIP... which seems to provoque validation failure on BigIP
... well at least this how I understand the following logs
Code:
when CLIENTSSL_CLIENTCERT {
log LOCAL0.debug "nbr certs: [SSL::cert count] verifyResult: [SSL::verify_result] // [X509::verify_cert_error_string [SSL::verify_result]]"
set i 0
while {$i < [SSL::cert count]} {
log LOCAL0.debug "[X509::subject [SSL::cert $i]]"
incr i
}
Log:
Sep 15 11:30:40 tmm tmm[716]: 01260014:4: Peer cert verify error: unsupported certificate purpose (depth 0; cert /O=...(the Root CA)...)
Sep 15 11:30:40 tmm tmm[716]: Rule sslSymDEV : nbr certs: 3 verifyResult: 26 // unsupported certificate purpose
Sep 15 11:30:40 tmm tmm[716]: Rule sslSymDEV : /C=...(my cert)...
Sep 15 11:30:40 tmm tmm[716]: Rule sslSymDEV : /C=...(the signing CA)
Sep 15 11:30:40 tmm tmm[716]: Rule sslSymDEV : /O=...(the Root)
Of course, when my client do not register the all chain, the only submitted certificate is its own ... and the verification goes right (as that one can be used for authentication)...
Log:
Sep 15 11:46:14 tmm tmm[716]: Rule sslSymDEV : nbr certs: 1 verifyResult: 0 // ok
Sep 15 11:46:14 tmm tmm[716]: Rule sslSymDEV : /C=... (my cert) ...
I tried to set the authenticate depth... but it do no seem to have any effect.
Does anybody have an idea of what I could do wrong?
Thanks in advance,
Xavier