James_123402
Nimbostratus
NimbostratusTwo way SSL problems with APM on BIGIP
Receiving ssl_shim_vfycert:2461 when attempting two way ssl authentication. Does anyone know the underlying cause of this message or where I can find an error reference?
Forum Discussion
- Kevin_Stewart
Employee
Is there more to that error message? I'm guessing "application verification error"?
Take a look at the trust chain on the client side (from the client certificate to its root), and compare that to the bundle of CA certificates in the client SSL profile. Does the bundle contain these certificates?
boneyardMVP
just ssl_shim_vfycert:2461 or also some extra message?
James_123402at this point I am only seeing an ssl handshake failure error. The client has a cert from one of the advertised authorities and in IE a dialogue opens to ask which cert to present. Tailing the LTM log shows an ssl handshake failure before a cert is selected in the browser.- boneyardare you sure the message about the handshake is from that session? how do you request the cert?
- James_123402I am certain that the handshake is from the session in question because it is my test system and I am able to tightly control network traffic. The on-demand cert in access policy is set to require and client ssl cert is set to ignore in the ssl_client profile. At this point I have gone as far as issuing a new test cert to the client and re-importing the certificate authority's public cert into the BigIP and I am still seeing the same issue.
- boneyardand if you use request in the ssl profile (with correct advertised / trusted CA) does the same happen then? at this stage i would contact support, might be an issue with the certs or such.
- Kevin_Stewart
The message you're describing generally relates to errors in the client certificate verification process. The next step, in my opinion, should be to manually verify that the client certificate(s) do actually validate against the given CA cert(s). Upload one of the client certificates to the F5 and use the OpenSSL verify command:
[http://www.openssl.org/docs/apps/verify.html](http://www.openssl.org/docs/apps/verify.html)Example:
openssl verify -CAfile [CA certificate] [user certificate] - James_123402When I set the ssl client profile to request, the browser asks which cert to use. If I click cancel and don't present a cert I can get to the resource if on-demand cert is not part of the access policy. If I present a cert I get a browser error and the webtop does not show in the browser. I have a ticket open already. It is taking a little while for support to get back to me because this is not my production system.
- Kevin_Stewart
If I click cancel and don't present a cert I can get to the resource if on-demand cert is not part of the access policy
This part is confusing. Earlier you stated "The on-demand cert in access policy is set to require and client ssl cert is set to ignore in the ssl_client profile".
So just to be clear, the certificate authentication option in the client SSL profile needs to be set to ignore to use the APM Cert Auth agent. The Trusted Certificate Authority option in the client SSL profile should be selected with the appropriate CA certificate(s) to validate client certificates. You shouldn't (normally) need anything else in the client SSL profile.
- Kevin_Stewart
So it does indeed appear that certificate validation is failing. Have you tried the OpenSSL verify step?
