Client Certificate Authentication Failure on Backend After Upgrading from NetScaler 10.1 to 10.5

book

Article ID: CTX212684

calendar_today

Updated On:

Description

Client certificate authentication on the backend stopped working after upgrading from NetScaler 10.1 to 10.5.

Resolution

We do not see the server requesting a client certificate and we do not see the NetScaler sending the certificate:

The details are in the Encrypted Handshake Message and Encrypted Alert. We decrypted the traffic using the key from the back-end server and this is what we see:

The NetScaler sends a fatal alert handshake failure immediately after the server 'hello request', and then resets the connection.

This is because the server is trying to renegotiate the SSL connection with a request for the client cert.

The NetScaler by default is set to Deny all SSL renegotiation globally.

We set this to 'no' in SSL - Change Advanced SSL settings;

You can also create an SSL Profile and set Deny SSL Renegotiation to NO on this. Then bind the SSL profile to a specific LB vserver:

Client certificate authentication now works. We see the NetScaler send a Client Hello after the Hello Request, which would lead to the certificate request:

Problem Cause

SSL Renegotiation was disabled.

Issue/Introduction

Client certificate authentication on the backend stopped working after upgrading from NetScaler 10.1 to 10.5.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"