Clientauthentication failes with Handshake error

[grindsa]

I am trying to setup ejbca to enrol certificates via rest-api. I am using the primekey/ejbca-ce for lab-testing. The docker image gets started via docker run -it --rm -p 80:8080 -p 443:8443 -h ejbca-system -e TLS_SETUP_ENABLED="simple" primekey/ejbca-ce command.

I can access the Web-UI and activated "REST Certificate Management" service. Access to the status endpoint works without issues.

grindsa@ub2204:~$ curl https://ejbca-system/ejbca/ejbca-rest-api/v1/certificate/status --cacert ca_bundle.pem
{"status":"OK","version":"1.0","revision":"EJBCA 7.11.0 Community (8d14e27cda0b32eba35a1fd1423f8e6a31d1ed8e)"}j

To configure Clientauthentication I did follow the steps described in the Quick Start Guide - Issue Client Authentication Certificate using EJBCA and finally got client cert and key in p12 format.

But I cannot connect to the REST-API by using client cert as the handshake fails with the below error message

grindsa@ub2204:~$ curl -v  https://ejbca-system/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert cl_cert.p12:PASSWORD --cacert ca_bundle.pem
*   Trying 192.168.14.131:443...
* Connected to ejbca-system (192.168.14.131) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: ca_bundle.pem
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, decode error (562):
* error:0A000126:SSL routines::unexpected eof while reading
* Closing connection 0
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
grindsa@ub2204:~$

Testing a connection via openssl leads to the same issue:

grindsa@ub2204:~$  openssl s_client -connect 192.168.14.131:443 -cert a2c_crt.pem -key a2c_key.pem -CAfile ca_bundle.pem --quiet
Can't use SSL_get_servername
depth=1 UID = c-0zt9nqe927k24xwh5, CN = ManagementCA, O = EJBCA Container Quickstart
verify return:1
depth=0 UID = c-0zt9nqe927k24xwh5, CN = ejbca-system, O = EJBCA Container Quickstart
verify return:1
80DBBCCC907F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:

Run in openssl with the -ignore_unexpected_eof seem to solve the issue.

grindsa@ub2204:~$  openssl s_client -connect 192.168.14.131:443 -cert a2c_crt.pem -key a2c_key.pem -CAfile ca_bundle.pem --quiet   -ignore_unexpected_eof
Can't use SSL_get_servername
depth=1 UID = c-0zt9nqe927k24xwh5, CN = ManagementCA, O = EJBCA Container Quickstart
verify return:1
depth=0 UID = c-0zt9nqe927k24xwh5, CN = ejbca-system, O = EJBCA Container Quickstart

Any idea how to troubleshoot the problem further? Is there an issue on the server side when using OpenSSL 3.0 on the client?

Thank you for your help

/G.

[primetomas]

The REST API need client certificate authentication. If you start the container with the classic workflow, i.e. not TLS_SETUP="simple", you will get a superadmin.p12 keystore to use in the browser, and with the REST API.

[grindsa]

Thanks. Works as expected...