The error message "400 Bad Request - No required SSL certificate was sent" indicates a problem during the SSL/TLS handshake process between the client and the server. Specifically, it suggests that the server expected a client to present a valid SSL certificate as part of the authentication process, but the client did not provide one. This is a scenario often seen in environments where mutual TLS (mTLS) authentication is configured.
Mutual TLS authentication is an extension of TLS that provides two-way authentication. While traditional TLS only requires the server to present a certificate to prove its identity, mTLS also requires the client to present a certificate, ensuring both parties verify each other's identities. This additional layer of security is crucial in sensitive environments, such as financial services, healthcare, or internal networks of large organizations.
Understanding the Error:
Server Configuration: The server is configured to require client certificates for certain requests. This is typically done for APIs, web services, or specific paths within a web application that need higher security.
Client Certificate Missing: The client, which could be a browser, a script (e.g., using curl), or another service, attempts to establish a connection without providing the required SSL certificate. This could be due to misconfiguration, the absence of a certificate, or incorrect client setup.
400 Bad Request Response: The server, upon not receiving the required client certificate, rejects the connection attempt with a "400 Bad Request" error, specifically noting that no SSL certificate was sent.
Resolution:
Check Client Configuration: Ensure the client is correctly configured to present an SSL certificate when making requests to the server. This often involves setting up the client with the necessary certificate files (certificate and private key) and configuring it to use them in requests.
Server Requirements: Verify the server's requirements for client certificates, including the CA (Certificate Authority) that must issue them, any necessary client certificate fields (like CN, SANs), and ensure your client certificate matches these criteria.
Certificate Trust: Make sure that the server trusts the CA that issued the client's certificate, and the client's certificate chain is correctly set up.
Debugging Tools: Use tools like curl with verbose logging, browser developer tools, or network analyzers like Wireshark to examine the SSL/TLS handshake process and identify where the failure occurs.
Server Configuration: Review the server's SSL/TLS configuration to ensure it's set up to request (but not necessarily require) client certificates if not all clients will provide them. Adjust configurations accordingly based on the application's security requirements.
What's the Edge SWG's role in this: The Edge SWG simply tunnels this request (do not detect protocol and do not authenticate). To execute this within the Proxy, please implement the CPL script below. If this access utilizes any other URL, add them under the "define condition_Allow".
We recommend to do this from CPL and not on the VPM. If you must use the VPM, ensure to also not authenticate for all the related URLs.
Following the investigation done, we can confirm that the reported error isn't caused by the Proxy but by the client, having not sent the expected certificate, required by the server, to authenticate it's access. From the evidence we received, while we can see the server certificate details, there isn't a client certificate presented. Please see the sample snippet below, as reference.
With mTLS, note that the server is configured to require client certificates for certain requests. This is typically done for APIs, web services, or specific paths within a web application that need higher security.
The client, which could be a browser, a script (e.g., using curl), or another service, attempts to establish a connection without providing the required SSL certificate. This could be due to misconfiguration, the absence of a certificate, or incorrect client setup. So, ensure the client makes the request, presenting the required certificate.