NimbostratusSSL Handshake failure / Verify irule
I'm trying to Troubleshoot the below Issue.
Application sends an certificate to the LTM (it is set up on https URL to send certificate to ltm to authenticate itself has valid), the below irule is used to authenticate the Client and forward the http request to the Server.
LTM uses clientside ssl to encrypt client side transaction and connection between ltm and server is encrypted with certificate hosted on the Server.
rule abc-ssl-rule {
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 }
{ log "Client cert is OK; releasing HTTP request."
HTTP::release
}
}
when HTTP_REQUEST {
if { [class match [HTTP::uri] starts_with abc_p_6401-ssl-class] }
{ log "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] < 1} {
log "No cert found. Holding HTTP request until a client cert is presented..."
HTTP::collect
SSL::session invalidate
SSL::renegotiate enable
SSL::authenticate once
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
log "SSL renegotiated"
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert LTM_CLIENT_CERT [X509::whole [SSL::cert 0]]
log "Client cert forwarded to server"
}
}
} }
There are 2 different SCenarios observer.
-
SSL handshake fails after client sends client cipher spec and logs on the LTM . SSL handshake failure FatalError(20).
-
On other set up ,Reset request is sent after server sends the Change Cipher Spec message is sent thereby closing the TCP connection.
Any ideas , as to what would result in this behaviour.? llet me know if more data required.
