Globalprotect with 2 factor auth, client certificate problem (SSL handshake)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect with 2 factor auth, client certificate problem (SSL handshake)

Not applicable

Hello,

having problems with GP client certificate authenticating on Android and iOS (Windows is working OK). We are using company PKI certificates, Root and Issuing CA certs have been imported to Android/iOS, as well as a device-specific client certificate from the said Issuing CA.GP Portal connection is working OK, but when the client is trying to connect to a gateway (certificate profile enabled), the connection is refused. I checked the debug logs on Android, and found the following SSL-related exception (a-test-2 is the name of the imported client cert):

(28792)05/29 23:27:34:607901 - Requesting a client certificate chain for alias [a-test-2]

(28792)05/29 23:27:34:639024 - error from connect, useOurVerifier=true

(28792)05/29 23:27:34:639172 - 1738, found exception:javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000)

(28792)05/29 23:27:34:639223 - a client cert might not right, clear cache now

(28792)05/29 23:27:34:651072 - (l5)JNI,28806,498,not handled, ret=error, javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000), return NULL now

(28792)05/29 23:27:34:651231 - (l6)JNI,28806,2196,Failed to pre-login to the gateway

The exact same auth sequence is working with Windows GP clients (client certs from the same issuing CA).

Anybody have any clue about this or have built similar setups and resolved the issue somehow? Any insight into this is welcome, thank you!

BR,

Arttu

0 REPLIES 0
  • 1934 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!