0

I am trying to configure TLS client authentication (mutual auth) between an F5 BIG-IP and an Ubuntu server running Apache2. Unfortunately no matter what I try it keeps failing with the following message under /log/apache2/error.log:

[client 10.128.2.110:64689] AH01964: Connection to child 19 established (server testapplication.com:443)
[client 10.128.2.110:64689] AH02043: SSL virtual host for servername testapplication.com found
[client 10.128.2.110:64689] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: CN=LAB-CA,DC=lab,DC=com / issuer: CN=LAB-CA,DC=lab,DC=com 
[client 10.128.2.110:64689] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN=F5-CERT,C=GB / issuer: CN=LAB-CA,DC=lab,DC=com 
[client 10.128.2.110:64689] AH02008: SSL library error 1 in handshake (server testapplication.com:443)
SSL Library Error: error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message
[client 10.128.2.110:64689] AH01998: Connection closed to child 19 with abortive shutdown (server testapplication.com:443)

Some basic stats:

Apache2 Version: Apache/2.4.7

OpenSSL version: Installed: 1.0.1f-1ubuntu2.22

BIG-IP version: 11.6.1

I have verified the certificate the F5 presents is using the correct certificate template (Client Authentication). Both certs at the F5 and Apache end are signed by the same CA. I have the following settings under my virtual hosts file:

SSLCACertificateFile /etc/apache2/certs/LAB-CA.crt

SSLVerifyClient require
SSLVerifyDepth  10

I'm a bit stumped at this point. This proof-of-concept is for a very important project for our customer so quite keen to have this nailed.

Thanks for your help.

Devlin Thornicroft
  • 1
  • 1
  • This looks quite serious, a TLS protocol error. The client's `Certificate` message is supposed to be followed by a `CertificateVerify` message, and the error message says it wasn't. It isn't clear to me whether Apache is acting as the client or server here. Can you clarify? and clarify whether the certificate named in the log is the server or client certificate? – user207421 Aug 14 '17 at 08:22
  • Hello EJP, thanks for your swift reply. Apache is acting as the server, the F5 as the client. In the logs as shown about the name 'F5-CERT' is the CN found in the F5s cert. As mentioned, both the F5 and Apache certs are signed by the same CA. If I bypass the F5 and connect my Win 7 VM to Apache it does work. Let me go back and see what is different on the client cert the Win 7. In the meanwhile if anything else pops up or if there's anything else I could check that'd also be appreciated. – Devlin Thornicroft Aug 14 '17 at 09:59
  • So it looks like the F5 is at fault, whatever it is. Evidently it send a Certificate message in response to the server's CertificateRequest but didn't send the required following CertificateVerify message, which contains a digital signature by its private key, which proves that it owns the certificate it sent. This is pretty basic in TLS terms. I would follow up with the F5 manufacturer or supplier or whatever they are. – user207421 Aug 14 '17 at 10:06

0 Answers0