Forum Discussion

Mohanad_313515's avatar
Mohanad_313515
Icon for Nimbostratus rankNimbostratus
Sep 23, 2018

SSL Handshake failed | client certificate authentication

Hi all

 

im trying to implement client certificate authentication for web service, but im getting some errors, However, it's working from browsers using the correct client certificate

 

 

Sep 23 15:02:56 warning tmm[17705]: 01260009:4: Connection error: ssl_shim_vfycerterr:4786: application verification failure (46)

 

Sep 23 15:02:56 info tmm[17705]: 01260013:6: SSL Handshake failed for TCP 192.168.100.229:53735 -> 10.232.16.35:443

 

 

 

ASM Advanced WAF
security

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 23, 2018

    The server is rejecting the connection right after the client sends its certificate, which implies that the server is rejecting the client's certificate. The most likely cause here, given that browsers work, is that your Staging_NPS_Root does not contain the full PKI trust chain. Browsers will usually work if they have all of the CAs in the chain because they'll send these CAs (except for the self-signed root) in the handshake. Your web services may not be doing this. You can tell for sure by doing an ssldump capture on the client side traffic:

    ssldump -AdNn -i [client side VLAN] port 443

    In browser traffic you'll see the client send the client cert and at least one subordinate CA cert. To fix then, you can either add the missing subordinates to the Trusted Certificate Authorities bundle file on the F5, or to the web services clients (if they support sending the subCAs).

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 24, 2018

    Right, so do you see where the server rejects the connection right after the client sends its certificate? That almost always implies that the server is rejecting the client cert for validation reasons. You'll also get a much better look at this in wireshark. Use tcpdump to capture separate browser and web services sessions and compare them:

    tcpdump -lnni [client side vlan] -vvvXs0 -w [file.pcap]

    In the wireshark capture, look at this same client Certificate message. What you're likely to see is the client sending its cert and at least on subordinate CA cert. You shouldn't see this in the web services capture. In any case, if your client side PKI is based on multiple levels of CA issuance, example:

    root CA -> sub CA -> sub-sub CA -> client cert

    Then you'll need ALL of these CA certs in the bundle that you create for the Trusted Certificate Authorities option. A bundle is a simple text file with then PEM-formatted certs one after the other.

    ----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
stuff...
----- END CERTIFICATE -----

    The server (BIG-IP) must be able to validate trust in the client's certificate, so needs the entire client side PKI CA chain.