添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
精明的猴子  ·  以城乡产业融合助力农业提质增效_江苏社科规划网·  3 周前    · 
想发财的滑板  ·  茶道可道:品绿雪芽兰芷鼠白茶-爱普茶网,最新 ...·  3 月前    · 
想发财的大脸猫  ·  水利部:长江上游将出现明显洪水过程-中国法院网·  7 月前    · 
飞翔的雪糕  ·  Getting Total Count ...·  9 月前    · 
傻傻的松树  ·  Android ...·  1 年前    · 
link管理  ›  SSL Handshake failed - client certificate authentication and also without certificate | DevCentral
https://community.f5.com/discussions/technicalforum/ssl-handshake-failed---client-certificate-authentication-and-also-without-certif/202387
笑点低的荒野
3 月前

Forum Discussion

Janez's avatar
Janez
Icon for Nimbostratus rank Nimbostratus
Jan 23, 2020

SSL Handshake failed - client certificate authentication and also without certificate

Hello,

I have question. We have plan to migrate web app which have 2 different type authentication. One is with without cerificate and secont autentication is with certificate. I did custom client SSL profile and work only for first solution (without certificate) and with certificate it doesn't works. For server certification I use default server profile (server ssl). I also try to use CCCD solution but I get error: SSL Handshake failed for TCP X.X.X.X:4589 -> VIP:443 and customer has also problem with client which didn't use client certificate for authentication. I use one VIP and one pool member.

Any idea?

Thanks,

Janez

application delivery
ASM Advanced WAF
LTM
security

3 Replies

Sort By
  • NUT2889's avatar
    NUT2889
    Icon for Cirrostratus rank Cirrostratus
    Jan 24, 2020

    Hi,

    Could you share configuration part of client ssl profile in bigip.conf ?

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rank Cirrocumulus
    Jan 24, 2020

    Janez, the clientssl profile would be very useful, as would be some clarifications on what you are trying to achieve. For example, are you looking for "client certificate authentication" if so have you configured the "client authentication" section of the clientssl profile? Does the application require the f5 to present a certificate to the application server, if so you'd need to add the Certificate in the "configuration" section. If the application needs to authenticate the client directly, then this setup might break that, and you would need to implement Proxy SSL. See ClientSSL Profile and ServerSSL Profile

  • Janez's avatar
    Janez
    Icon for Nimbostratus rank Nimbostratus
    Jan 27, 2020

    Hello,

    Proxy SSL is problem because customer use ECDHE or any ciphers with Perfect Forward Secrecy.

    Here is client profile:

    ltm profile client-ssl /Common/client-SSL {

    app-service none

    ca-file /Common/Cert.crt

    cert /Common/Cert.crt

    cert-key-chain {

    Cert_chain {

    cert /Common/Cert.crt

    chain /Common/Cert_CA.crt

    key /Cert-Key.key

    }

    }

    chain /Common/Common/Cert_CA.crt

    cipher-group none

    ciphers DEFAULT

    defaults-from /Common/clientssl

    inherit-certkeychain false

    key /Common/Cert-Key.key

    passphrase none

    peer-cert-mode request

    ssl-c3d enabled

    }

    And Server profile:

    ltm profile server-ssl /Common/Server-SSL {

    app-service none

    c3d-ca-cert /Common/Cert.crt

    c3d-ca-key /Common/Cert-Key.key

    cert /Common/Cert.crt

    defaults-from /Common/serverssl

    key /Common/Cert-Key.key

    ssl-c3d enabled

    Thanks and regards,

    Janez

 
推荐文章
精明的猴子  ·  以城乡产业融合助力农业提质增效_江苏社科规划网
3 周前
想发财的滑板  ·  茶道可道:品绿雪芽兰芷鼠白茶-爱普茶网,最新茶资讯网站,https://m.ipucha.com
3 月前
想发财的大脸猫  ·  水利部:长江上游将出现明显洪水过程-中国法院网
7 月前
飞翔的雪糕  ·  Getting Total Count Using Criteria Query - Hibernate ORM - Hibernate
9 月前
傻傻的松树  ·  Android Oからのバックグラウンド・サービスの制限事項を実演する。 - Qiita
1 年前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台