Encrypted SyncIQ policies fail with "sslv3 alert unsupported certificate"

Summary: Encrypted SyncIQ policies immediately fail with SSL error "sslv3 alert unsupported certificate"

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

After correctly configuring SyncIQ policies to use SSL certificates and after importing the correct signing chain of certificates on both the source and the target side.

Policies start to fail with the error "sslv3 alert unsupported certificate"

Cause

Encryption in SyncIQ is using both client and server authentication. 

The end of chain certificate "certificate imported in server/peer store of SyncIQ" is only configured to use one type of authentication "Typically it will be server authentication only"

To confirm and check :

a) from isi_migrate.logs:

On cluster:
--------------
# isi_for_array -sQ ' grep "An SSL handshake failure occurred while establishing" /var/log/isi_migrate.log | grep coord ' | sort | tail -5 

On Logs:
------------
$ grep -h "An SSL handshake failure occurred while establishing" */varlog.tar/log/isi_migrate.log | grep coord | sort | tail -5 


Expected error:
---------------------
TTTTTTTTTTTTTTT <3.3> xxxxxxxxxx-4(id8) isi_migrate[57638]: coord[xxxxxxxxxx:TTTTTTTTTTTT]: siq_create_alert_internal: type: 22 (policy name: xxxxxxxxxx target: xxxxxxxxxx) SyncIQ policy failed to establish an encrypted connection with target. An SSL handshake failure occurred while establishing an encrypted connection to the target cluster. Please view the logs on the source and target for further details. SSL error string: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate [ISI_TLS_ERROR_HANDSHAKE], Target: xxxxxxxxxx


b) from server/peer certificate store 

On cluster:
--------------
# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/peer/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

# openssl x509 -text -noout -in /ifs/.ifsvar/modules/isi_certs/synciq/server/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

On Logs:
------------
$ openssl x509 -text -noout -in local/ifsvar_modules.tar/modules/isi_certs/synciq/peer/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

$ openssl x509 -text -noout -in local/ifsvar_modules.tar/modules/isi_certs/synciq/server/zone_1/certs/<ID>.crt | grep -A1 "X509v3 Extended Key Usage"

The result of the above commands is to see "TLS Web Server Authentication" only or "TLS Web Client Authentication" only.

The correct output is to find both "TLS Web Server Authentication"  and "TLS Web Client Authentication"

Resolution

The customer will have to re-generate the end-of-chain certificate "certificate imported in server/peer store of SyncIQ"  to include both types of authentication.

In order to do so, the customer will have to follow his internal process in generating the Certificate Signing Request "CSR" while making sure that the conf file used to generate the CSR contains the following:
 

extendedKeyUsage = serverAuth,clientAuth
 
Later on the customer can sign this CSR file as per his security requirement "self-signed or CA signed"

Affected Products

Isilon, PowerScale OneFS, Isilon SyncIQ
Article Properties
Article Number: 000186531
Article Type: Solution
Last Modified: 06 Dec 2024
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.