Hello,

I have noticed that there is different processing of mTLS (client authentication) in IIBv10 and ACEv12. I have two integration nodes, each one uses same keystore and truststore. First one is running on IIBv10, second one is running on ACEv12 (actually it is migrated version of the first one). There is a SOAP server flow which I am trying to connect to. When I want to connect from SOAP client (SOAP UI) using Server certificate then it works on IIBv10 but it does not work on ACEv12. When I use Client certificate than it works in both instances.
I know that we should be using Client certificates for mTLS on client side, but it would be nice to have an option to ignore SSL error regarding unsupported certificate type. Is there a way how to solve this?

Exception on ACEv12 (from TLS trace):
TLS 1.2 Alert packet
Alert Level: Fatal (2)
Alert Description: Unsupported certificate (43)
Details: A certificate was of an unsupported type.

------------------------------
Martin Citron
Prague
------------------------------

Hi Martin,

Sorry, that is not an error we have encountered before.  I am unaware of a way to ignore this particular error.
ACE uses OpenSSL on input whereas IIB used JSSE.  Some differences are present as you have noted.  We do have an option to not fail if the client certificate is not provided, but that is the closest we currently have.  If you can find an OpenSSL option to get this working, we should be able to use the same in ACE.

------------------------------
MATTHEW SEGALL
------------------------------

Original Message:
Sent: Fri March 25, 2022 08:49 PM
From: Martin Citron
Subject: Different behaviour of mTLS in IIBv10 and ACEv12

Hello,

I have noticed that there is different processing of mTLS (client authentication) in IIBv10 and ACEv12. I have two integration nodes, each one uses same keystore and truststore. First one is running on IIBv10, second one is running on ACEv12 (actually it is migrated version of the first one). There is a SOAP server flow which I am trying to connect to. When I want to connect from SOAP client (SOAP UI) using Server certificate then it works on IIBv10 but it does not work on ACEv12. When I use Client certificate than it works in both instances.
I know that we should be using Client certificates for mTLS on client side, but it would be nice to have an option to ignore SSL error regarding unsupported certificate type. Is there a way how to solve this?

Exception on ACEv12 (from TLS trace):
TLS 1.2 Alert packet
Alert Level: Fatal (2)
Alert Description: Unsupported certificate (43)
Details: A certificate was of an unsupported type.

------------------------------
Martin Citron
Prague
------------------------------

Hello,

just to close this question. We have issued new certificate which contains clientAuth in the attribute extendedKeyUsage. Previous certificate contained just serverAuth and that was wrong.

Martin

------------------------------
Martin Citron
Prague
------------------------------

Original Message:
Sent: Wed April 06, 2022 12:17 PM
From: MATTHEW SEGALL
Subject: Different behaviour of mTLS in IIBv10 and ACEv12

Hi Martin,

Sorry, that is not an error we have encountered before.  I am unaware of a way to ignore this particular error.
ACE uses OpenSSL on input whereas IIB used JSSE.  Some differences are present as you have noted.  We do have an option to not fail if the client certificate is not provided, but that is the closest we currently have.  If you can find an OpenSSL option to get this working, we should be able to use the same in ACE.

------------------------------
MATTHEW SEGALL

Original Message:
Sent: Fri March 25, 2022 08:49 PM
From: Martin Citron
Subject: Different behaviour of mTLS in IIBv10 and ACEv12

Hello,

I have noticed that there is different processing of mTLS (client authentication) in IIBv10 and ACEv12. I have two integration nodes, each one uses same keystore and truststore. First one is running on IIBv10, second one is running on ACEv12 (actually it is migrated version of the first one). There is a SOAP server flow which I am trying to connect to. When I want to connect from SOAP client (SOAP UI) using Server certificate then it works on IIBv10 but it does not work on ACEv12. When I use Client certificate than it works in both instances.
I know that we should be using Client certificates for mTLS on client side, but it would be nice to have an option to ignore SSL error regarding unsupported certificate type. Is there a way how to solve this?

Exception on ACEv12 (from TLS trace):
TLS 1.2 Alert packet
Alert Level: Fatal (2)
Alert Description: Unsupported certificate (43)
Details: A certificate was of an unsupported type.

------------------------------
Martin Citron
Prague
------------------------------