ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
I've got a web site that uses SSL Client certificate authorization. All client certificates are generated using OpenSSL and are self-signed. Everything worked with all web-browsers, but the recommended one was Google Chrome, because it uses same SSL warehouse as IE, so certificate installation was pretty easy (click-click-password-done!). After last update of Google "Chrome 29.0.1547.57 m" noone can access my web-server, even me. Google chrome error only! IE and FF working fine. Error is: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED. Same in server error log. Do you have any suggestions? The problem is that most part of clients are non familiar with PC's and they got very frightened about that situation. So phone support guys are under the wave of calls.
Answer
We are experiencing the same problem. As Sean has reported, it seems that Chrome on Windows XP negotiates TLSv1.2 even though the operating system does not support SHA-2 (say, SHA-256 or SHA-384) hash function.
We found that Chrome fails when it receives "client certificate request" following SERVER HELLO. SERVER HELLO itself negotiates RC4-SHA1 (in our environment) which should succeeds. The problematic packet seems the "client certificate request" that includes SHA-2 (as well as SHA1) functions for hashes.
Invoking Chrome with "--enable-logging --log-level=0" outputs the following message: ERROR:nss_ssl_util.cc(193)] ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error -12222, OS error -2146893816
This is an Operating system error corresponding "NTE_BAD_ALGID" for CryptSignHash function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380280(v=vs.85).aspx
Disabling TLSv1.2 on the server should fix the problem. But I think Chrome should prefer SHA1 on Windows XP.