4

Hello everybody :)I'm facing an issue with ssl dual authentication on haproxy, my root and intermediate CA are concatained in once, my client certificate is OK and the openssl verify returns OK (verification of client certificate against CA)

openssl verify -CAfile ca_cert.pem clientcert.crt
OK

my config on haproxy :

frontend myfront_77 bind myip:myport ssl crt /etc/haproxy/ssl/servercert.pem ca-file /etc/haproxy/ssl/ca_cert.pem force-tlsv12 ciphers AES256+EECDH:AES256+EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA verify required

But when sending a request i have this ssl error:

SSL_connect:error in SSLv3 read finished A SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 140080046843792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48

Can anyone help please, I'm breaking my head with this problem since days ?

Thank you

Yass
  • 41
  • 1
  • 4

1 Answers1

0

Let me start by saying that I have never used haproxy, but this question was asked about 4 years ago and now has 4K views with no answers, so this was my experience with the exact same error using Dovecot & Thunderbird.

As it goes Thunderbird, and Firefox, do not use the system trust store. I assume that is common to a greater number of platforms.

After verifying the cert with openssl verify, or openssl s_client, You should check the root CA certificate in the client program. In mozilla programs this can be done in about:preferences#privacy > View Certificates...

In my case I had a stale certificate so make sure to look at the details, or better, verify that the root CA in your client program matches the root CA that openssl is verifying against. A simple diff will work in this case.

Sometimes, it may be helpful to verify a cert against a private key, which can be done by comparing the pubkey. openssl pkey -in key.pem -pubout | diff - <(openssl x509 -in cert.pem -pubkey -noout)

Mozilla Sidebar, I don't recommend this as it will duplicate a bunch of certs. It is also possible to have Thunderbird/Firefox look at the system trust store by going to about:preferences#privacy > Security Devices... > Load, and navigating to your p11-kit-trust.so. e.g. /lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

The Dovecot project has has a good writeup for testing to check whether there is a server or client problem.
https://wiki2.dovecot.org/TestInstallation &
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#testing

However, that is not the full story since the introduction of the keyUsage constraint. A client may enforce this leading to a similar error: "sslv3 alert bad certificate: SSL alert number 42"
https://bugzilla.mozilla.org/show_bug.cgi?id=1036338

I found the following to be a good writeup including the creation of root/intermediate/client certs chainfiles & constraints. https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

fuzzy7k
  • 101