Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SHA-2 issues in client SSL profile

Hello,

I am into an issue where I apply SHA-2 certificate in the client profile the SSL session doesn't complete and webpage doesn't open. But it works fine with SHA-1 certificate. We are running 11.4 software version, I believe it is supporting sha-2 cipher. This might be a browser compatibility issue. Has someone faced similar problem before ?

As per NIST regulations: For SSL Certificates expiring before December 31, 2016, you can still use SHA-1 to generate your SSL Certificate. However, when ordering or renewing any SSL Certificate that expires after December 31, 2016, SHA-2 is automatically selected by default.

Regards, Akhtar

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Akhtar,

The issue is with OS or Browser. clients such as Windows XP SP2 are unable to verify such certificates. one way to figure out is: Let client connect to a VS with a SHA1 cert. Check the User-Agent string. If it's a good browser (it supports SHA256 cert), redirect it to a different VS with a SHA256 cert, otherwise just balance the request or send an error message.

This does not work properly, if the users are connecting through a proxy.

So i suggest to determine if the browser making the request supports or not.As far i know,IE running on XP with SP3 will support the SHA2 certificates(not SNI data).

So you would need to terminate the non supported browsers with a weaker certificate and then present the client with an alternate page that gave the option to click through if they confirmed that SP3 was installed on or something along those lines.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Please share the output of below command from TMSH.

show running-config ltm profile client-ssl

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Was this ever answered?

We have the same issue with a New SHA2 Cert and IIS does not work when we have the same Sha2 cert in Client/Server SSL profile and also on the Server.

If we put the old Sha1 cert on server and use the NEW/OLD Cert sha1 or sha2 or anything else on the LTM's it will work fine, However when we use the same SHA2 cert thru-out the session this connection does not work. And yes we have Vendor engaged and at this time they also cannot figure it out. This is confirmed with Chrome/FF31

We have many other VIP's using the SHA2 cert without issue, So this one is very odd, When we do a passthru, No ssl bridging / offloading for this site all works fine and opens with the SHA2 cert.It just when we use the same cert thru-out the connection while ssl bridging the connection (Client/Server SSL profile and also on the Server) it fails. Also note in our testing it does appear the Handshake between Client/LTM seems ok, It appears to break between Server ssl profile and Webserver.

LTM Version 11.4.1 HF7 Server = Microsoft-IIS/8.5

Thanks,

ccna55

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

FYI..after further research disabling tls1.2 on server side ssl profile fix this issue.

Now we need to understand why LTM did not negotiate lower TLS version if it need to do this. Same cipher should work for tls1.2 and or tls1.1 This is what i see using i don't have access as of now to use openssl and specify tls1.1 or tls1.2 only working on that.

openssl s_client -connect x.x.x.x SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA

Thanks, ccna55

0