Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 29, 2014

SSL connection error, client certificate validation issue - RSASSA-PSS signature algorithm support?

2-way SSL VIP with client certificate "required", we are getting SSL connection errors. The LTM log contains: SSL Handshake failed for TCP from 10.20.15.156:57757 to 172.20.104.11:443 The CA ch...
application delivery
client-certificate
design
LTM
signature algorithm
ssl
daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Dec 30, 2014

I was hoping to come back and confirm that 11.5 handles RSASSA-PSS, Kevin, but unfortunately I didn't have a chance - before we upgraded to 11.5.1, we had to rebuild our CA chain (and reissue certs across the board) using sha256, because of other devices (Cisco ISEs, etc.) that clearly documented that they wouldn't handle RSASSA-PSS. If anyone reading this knows for sure that RSASSA-PSS is supported at 11.5 or later, pls confirm so!

 

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jan 14, 2015
    i wouldn't mind checking but i seem unable to generate such a certificate with openssl or xca, if you can provide me one or explain how to create it i can have a look.
  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Jan 14, 2015
    Sorry, boneyard, appreciate it, but we tore down our CA that used RSASSA-PSS ... apparently, a Windows CA burns in the algorithm to be used and you can't change it from the default request by request (which seems weird to me, but that's what I'm being told).
  • candc's avatar
    candc
    Icon for Cirrus rankCirrus
    Jul 18, 2016

    Still definitely an issue for me on 12.0.0

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jul 18, 2016

    can you guide me in how to create such a certificate candcgroup, it like to give it a try.