Forum Discussion

John_Ogle_45372's avatar
John_Ogle_45372
Icon for Nimbostratus rankNimbostratus
Apr 10, 2015

SHA256 certificates to modern clients and serve SHA1 to those that can't do better?

How do I provide SHA256 certificates to modern clients and serve SHA1 to those that can't do better? What does this configuration look like? I don't know how to configure this?

 

Thank you,

 

1 Reply

  • I think you can do the following (only theoretical and untested assumption!):

     

    1. Create two ClientSSL profiles - one with SHA1 and one with SHA256 certificate.
    2. Make sure that your SHA256 certificate is created with TLS SNI option and do configure the Server Name field in ClientSSL profile to match the server name in the cert and enable the "Default profile for SNI" option on that ClientSSL profile (which will be used for newer cliets)
    3. the other ClientSSL cert aimedat older clients will use SHA1 cert and weaker ciphers. It will be used as a fallback profile
    4. Assign both SHA256 and SHA1 fallback ClientSSL profiles to the virtual server as described in SOL13452

    Refer to solution SOL13452 for step-by-step instructions - https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

     

    The assumption is that is a legacy client connects it will fail to negotiate SNI and the fallback ClientSSL profile would pick up the traffic with weaker certificate. Legacy clients which do not support TLS SNI also do not support SHA256 certs.

     

    If a newer client connects to the Virtual Server then the first ClientSSL profile (set as default for SNI) will negotiate the SSL connection based on SNI match and will pick up the traffic.

     

    Again, this is just an assumption, I have not tried this myself - please update this article if you are successful/unsuccessful

     

    Sam