We are currently running an application that is in IIS6/Windows 2003 R2 SP2. The SSL cert that resides on the app is SHA1 and we'll need to renew it in 2 months to SHA2. From what I've researched it is cumbersome to get 2003 R2 SP2 to support SHA2, so I thought of possibly using the F5 to have that traffic go through the F5, provide the SSL termination and then onto the application. Does anyone see any issues with this? Does anyone know of any issues with IIS 6 and F5 LTM 11.6 and the SSL Certs on the F5?
There should not be any problems from a function of F5 perspective. I have run into issues where the new code version on the F5 provides increased security by not using some of the older ciphers but clients still use old browsers that are not compatible with newer ciphers resulting in broken application.
I would recommend checking the following:
Any specific client SSL cipher requirements ?
For 11.6 code version, understand what "DEFAULT" cipher suite indicates and make sure it meets business requirements. See: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
Do you even need SSL in the DMZ?
Either way, it is best practice to terminate SSL on the BIG-IP - even if you re-encrypt the traffic before it leaves the BIG-IP. Client-side and server-side SSL are entirely independent of each other so you should have no issues using SHA1 between the BIG-IPs and the EOL web servers.