CMP error: sslv3 alert illegal parameter:SSL alert number 47

[Shalu555]

Hi Team,

In EJBCA 9, the CMP client fails when sending an IR (Initialization Request) to the EJBCA server. The following error is observed:

CMP info: sending IR
CMP DEBUG: connecting to CMP server 192.168.0.10:9443 using TLS
CMP DEBUG: disconnected from CMP server
CMP error: sslv3 alert illegal parameter: SSL alert number 47
CMP error: error sending: server=https://192.168.0.10:9443
CMP error: transfer error: request sent: IR, expected response: IP

During the TLS handshake, I observed that the server is requesting a client certificate:

Acceptable client certificate CA names
CN = internal_pki_management

Since this is an IR request, the client does not yet have a certificate. I initially assumed the failure was due to the absence of a client certificate.
However, even though WildFly shows verify-client="NOT_REQUESTED", the TLS trace indicates that a CertificateRequest message is still being sent by the server.
Should we switch to certificate-based authentication instead of password-based authentication in this case?

As EJBCA 9 uses TLS 1.3 by default, could the issue be related to TLS version compatibility?
Would it help if we downgrade the TLS protocol to 1.2, or is this error caused by some other handshake parameter?

I would greatly appreciate your early response.

[primetomas]

With "EJBCA" do you mean the container? In all installation instructions HTTP/S is configured with either two or three ports: plain http, https without client cert, and https with client cert. These on different ports. If you don't want client cert, simply use the port that does not require client cert authentication. Typically CMP is done over plain HTTP. See RFC6712.

[Shalu555]

Hi Primetomas,

The server is no longer requesting a client certificate, but I’m still encountering the following error during IR request.

CMP error: sslv3 alert illegal parameter: SSL alert number 47

I’ve verified the CMP alias configuration parameters such as authenticationmodule, authenticationparameters, responseprotection, and allowautomatickeyupdate, and they appear to be correct.

Could you please advise if there are any additional configurations or parameters that should be checked for this issue?

[primetomas]

This is an issue with your CMP client. You need to debug that. What CMP client are you using? You own development?

[Shalu555]

I’m using the standard OpenSSL CMP client to send the IR request. The request is executed using the cmpclient container, which runs openssl cmp with a standard OpenSSL CMP configuration file.

[primetomas]

I would use plain http to start with. CMP messages are self contained and do not need TLS to protect them. Once you confirm that working you can work on your TLS connection is you absolutely need to.
To establish TLS connections you need to have the correct trust anchor (CA certificate) so openssl can establish the TLS connection. We know it has been done though, but at some point I remember there was a bug in "openssl cmp" preventing it from using TLS, but I don't remember when that was fixed.