Client and Server Authentication enablement required for Tunnel SSL Certificate

Overview

Tunnel SSL certificate requires both the Client and Server Authentication are enabled in the Enhanced key usage details of the Certificate. If Client and Server Authentication are enabled in the enhanced key usage details, the UEM Console requirements for Tunnel SSL certificate are met. If the requirements are not met, the certificate provider will be required to reissue a certificate which has both Client and Server Authentication enabled. 

 

Device Impact if Client and Server Authentication are not enabled

If Client and Server Authentication are not enabled in the Enhanced key usage details of the certificate, per-app tunnel will not connect on the device. Additionally, whitelisted applications will not trigger per-app VPN. 

The Tunnel logs will display the following if these settings are not enabled:

WARN: SSL certificate preverify FAILED err=26 (unsupported certificate purpose)
INFO: TCPSocket 7 bytes sent
DEBUG: *10416 SSL_do_handshake returns -1
ERROR: ProcessTCPRead PerformHandshake returns VPN_ERROR
INFO: Session 10416 Tunnel Handshake Failed

Additionally, Tunnel Wireshark capture will also indicate an unsupported certificate.

 

How to verify Authentication is enabled in the certificate

To verify Authentication is enabled in the certificate, run the following openssl command on the server for the configured tunnel port and verify the SSL Client and SSL server settings display in the response for the Certificate Purposes:

openssl s_client -connect localhost:port | openssl x509 -noout -purpose

1.png

Alternatively, check the enhanced key usage details of the certificate to see if both Client and Server authentication is enabled.

2.png

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.