Client Cert Authentication Failure

Hello,

 

LTM with version 10.2.2 build 930.0. I am using a Client SSL profile with client authentication turned on to "require". The client has a cert that was signed by a CA I created and is installed in the ssl.crt folder on the LTM. I'm using the irule below to check CN and O of presented client cert.

 

when RULE_INIT {

 

set ::org "O= my company here"

 

}

 

when CLIENTSSL_CLIENTCERT {

 

Check if client provided a cert

 

if {[SSL::cert 0] eq ""}{

 

Reset the connection

 

reject

 

} else {

 

Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith

 

set subject_dn [X509::subject [SSL::cert 0]]

 

log "Client Certificate Received: $subject_dn"

 

Check if the client certificate contains the correct O and a CN from the list

 

if { ([matchclass $subject_dn contains $::CFA_devtst_auth_cn_list]) and ($subject_dn

 

contains $::org) } {

 

Accept the client cert

 

log "Client Certificate Accepted: $subject_dn"

 

} else {

 

log "No Matching Client Certificate Was Found Using: $subject_dn"

 

reject

 

}

 

}

 

}

 

 

This iRule seems to work perfectly. However from the logs below, please note the immediate Handshake failure at 11:10:10 (perhaps because the LTM is waiting for client cert to be offered?) and then the "unable to get local issuer certificate" error followed by Connection error of "ssl_shim_...." Right after that, the iRule confirms the O and CN values match. Any thoughts on why the LTM doesn't see the signing CA to validate the client cert?

 

 

 

Tue Oct 16 11:10:10 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47018

 

Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260006 Peer cert verify error: unable to get local issuer certificate (depth 0; cert /C=US/ST=Virginia/L=Charlottesville/O=CFA Institute/OU=IT Operations/CN=cfa-devtst-auth.cfainstitute.org)

 

Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: unable to get local issuer certificate (42)

 

Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Received: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US

 

Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01220002 Rule Stage_Pearson : Client Certificate Accepted: CN=cfa-devtst-auth.cfainstitute.org,OU=IT Operations,O=CFA Institute,L=Charlottesville,ST=Virginia,C=US

 

Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47185

 

Tue Oct 16 11:10:14 EDT 2012 debug local/tmm tmm[4861] 01260009 Connection error: ssl_shim_vfycert:2368: application verification failure (42)

 

Tue Oct 16 11:10:14 EDT 2012 info local/tmm tmm[4861] 01260013 SSL Handshake failed for TCP from 10.19.55.171:443 to 208.200.11.110:47188