SSL handshake failed with mutual TLS

Hello everyone.

I’m setting up an internal web server that will accept requests from
another systems (mostly enterprise-ish something) authenticated with
client certificates.

We’ve successfully configured interaction with two of these systems
(all with mutual TLS), and when pointed another one to this server
we’ve got next message in the error.log (log level for error log is
set to debug):

2016/06/16 18:07:55 [info] 21742#0: *179610 SSL_do_handshake() failed
(SSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:SSL alert number 42) while SSL handshaking, client:
10.117.252.168, server: 0.0.0.0:8443

What can cause this message? How to debug it?

Our setup is: Red Hat Enterprise Linux 7.1, Nginx 1.8.0 compiled from
sources and run from unprivileged user, internet not available, root
or sudo access not available too.

Requests from other systems handled well.

SSL configuration in nginx.conf as follows:

ssl_certificate         /home/strela/ssl/strela.crt;
ssl_certificate_key     /home/strela/ssl/strela.key;
ssl_client_certificate  /home/strela/ssl/client-ca.crt; // Both

root and intermediate certs which signed client certs are included in
this file
ssl_verify_client on;
ssl_verify_depth 2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Thank you in advance, please ask for any additional info if required.

With best regards, Andrey Novikov.

On Sat, Jun 18, 2016 at 11:29:49AM +0300, Andrey Novikov wrote:

Hi there,

What can cause this message? How to debug it?
I think that this message (can|does) mean that the far side did not like
something about your certificate.

If that is the case - are there any logs on the thing connecting to
nginx about what it thinks happened in the TLS negotiation?

Cheers,

f

Francis D. [email protected]

On 06/21/2016 03:59 AM, CJ Ess wrote:

Check that you have both the certificate and any intermediate
certificates in your pem file - you can skip the top-most CA
certificates as those are generally included in your browser’s CA
store - but the intermediates are not.

I believe Nginx wants certs ordered from bottom-most (your cert) to
top-most (ca’s cert) - it used to be picky about that I haven’t
retried the ordering in a long while.

It used to be your site cert at the top of the file. Don’t know whether
this is still true, but I always do it!

I recommend using the Qualys site ( SSL Server Test (Powered by Qualys SSL Labs) )
to check and fine tune your SSL setup. They keep very current on all the
vulns too, which is just sooo helpful.

Steve


Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

Check that you have both the certificate and any intermediate
certificates
in your pem file - you can skip the top-most CA certificates as those
are
generally included in your browser’s CA store - but the intermediates
are
not.

I believe Nginx wants certs ordered from bottom-most (your cert) to
top-most (ca’s cert) - it used to be picky about that I haven’t retried
the
ordering in a long while.

Thank everyone for advices.

I have server certificate (first) and Intermediate CA certificate
(second) in bundle file specified in ssl_certificate directive.
I have Intermediate CA certificate (first) and Root CA certificate
(second) in bundle file specified in ssl_client_certificate.

Both server and client certificate are issued by this intermediate CA
certificate, command

openssl verify -verbose -CAfile ca.bundle.crt client.crt

returns

client.crt: OK

I can successfully connect to my server with curl (using server’s
certificate itself as client cert) and browser. One system can access
it with own client certificate (issued by the same intermediate), and
problematic one can’t.

I will ask for problematic client’s logs, not sure that it can help.

Unfortunately my Nginx is located in private network and neither
accessible from Internet nor have access to Internet. So I can’t use
Qualys SSL Test. Any tests I can do with preinstalled in RHEL 7 curl
and openssl?