Globalprotect with 2 factor auth, client certificate problem (SSL handshake)

Reply
Highlighted
Not applicable

Globalprotect with 2 factor auth, client certificate problem (SSL handshake)

Hello,

having problems with GP client certificate authenticating on Android and iOS (Windows is working OK). We are using company PKI certificates, Root and Issuing CA certs have been imported to Android/iOS, as well as a device-specific client certificate from the said Issuing CA.GP Portal connection is working OK, but when the client is trying to connect to a gateway (certificate profile enabled), the connection is refused. I checked the debug logs on Android, and found the following SSL-related exception (a-test-2 is the name of the imported client cert):

(28792)05/29 23:27:34:607901 - Requesting a client certificate chain for alias [a-test-2]

(28792)05/29 23:27:34:639024 - error from connect, useOurVerifier=true

(28792)05/29 23:27:34:639172 - 1738, found exception:javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000)

(28792)05/29 23:27:34:639223 - a client cert might not right, clear cache now

(28792)05/29 23:27:34:651072 - (l5)JNI,28806,498,not handled, ret=error, javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x791396f8: Failure in SSL library, usually a protocol error

error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib (external/openssl/ssl/s3_clnt.c:3106 0x73a18cf8:0x00000000), return NULL now

(28792)05/29 23:27:34:651231 - (l6)JNI,28806,2196,Failed to pre-login to the gateway

The exact same auth sequence is working with Windows GP clients (client certs from the same issuing CA).

Anybody have any clue about this or have built similar setups and resolved the issue somehow? Any insight into this is welcome, thank you!

BR,

Arttu

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!