Client / TS certificates 7.x vs 8.x

Tue, 05 Jan 2021 14:49:31 -0800 

Hello,
We are using client -> TS SSL termination and using client certificates and a 
CA. While upgrading to 8.x this has stopped working and I'm having trouble 
figuring out why. I was wondering if there may have been some change in 8.x or 
error with my config  which would be obvious to someone.

The error is "SSL alert number 80" internal error.

SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec


SSL_connect:SSLv3/TLS write finished
read from 0x564393d04170 [0x564393d0e6a3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x564393d04170 [0x564393d0e6a8] (2 bytes => 2 (0x2))
0000 - 02 50                                             .P

SSL3 alert read:fatal:internal error
SSL_connect:error in error
139713745085760:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert 
internal error:../ssl/record/rec_layer_s3.c:1543:SSL alert number 80



I've inspected the traffic with Wireshark to confirm the exchange is identical 
between the versions up until the "Internal Error" response. Tried up to 
7.1.12-rc0 which works and 8.0.0 -> 8.1.x which does not. I've also tried on 
Ubuntu and Centos8 with the same results.

Relevant config:


records.config:
CONFIG proxy.config.ssl.CA.cert.path STRING /ssl/
CONFIG proxy.config.ssl.CA.cert.filename STRING ca.pem

CONFIG proxy.config.ssl.client.verify.server INT 1
CONFIG proxy.config.ssl.client.certification_level INT 2
CONFIG proxy.config.ssl.client.CA.cert.path STRING /etc/pki/tls/certs/
CONFIG proxy.config.ssl.client.CA.cert.filename STRING ca-bundle.crt

CONFIG proxy.config.ssl.client.cipher_suite STRING 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA

CONFIG proxy.config.ssl.server.private_key.path STRING /ssl/
CONFIG proxy.config.ssl.server.cert.path STRING /ssl/

CONFIG proxy.config.ssl.server.cipher_suite STRING 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_multicert.config:
ssl_cert_name=server.pem


Any help on this greatly appreciated, thank you,

Zack

Reply via email to