F5 dual-certificate deployment to fix SHA-1 Deprecate issue

Question

Hi&nbsp;
From this information  SHA-1 Deprecate &gt;&gt; link from qualys&nbsp;
My customer sha-1 certificate is mark as insecure already. (He using APM and certificate expire on 2018)&nbsp;
If we renew certificate to SHA-256, older client can't do the job so Can F5 perform dual-certificate deployment?&nbsp;
If newer user using chrome access to APM &gt;&gt; APM use certificate SHA256&nbsp;
If older user using chrome access to APM &gt;&gt; APM use certificate SHA-1 (of course it's mark as insecure but we can't do something about this to make older user can work)&nbsp;
Right now using APM 11.4.1 lastest HF&nbsp;
Thank you&nbsp;

kridsana · Answer

Can I just insert two SSL client profile in the Virtual server of APM ?&nbsp;
Or use irule to select SSL profile ?  &lt;&lt; (this method may be not work due to certificate hello is the first of SSL handshake and not sure F5 can customize or inspect that)&nbsp;
Thank you&nbsp;

nitass · Answer

i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.
Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)

Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.

sol15062: Associating multiple SSL certificate/key pair types with an SSL profile
https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html

nitass_89166 · Answer

i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.
Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)

Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.

sol15062: Associating multiple SSL certificate/key pair types with an SSL profile
https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html

kridsana · Answer

So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile .

And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?

kridsana · Answer

So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile .

And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?

Forum Discussion

F5 dual-certificate deployment to fix SHA-1 Deprecate issue

6 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Where are F5's archived deployment guides?

F5 BIG-IP deployment with OpenShift - per-application 2-tier deployments

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

F5 BIG-IP deployment with OpenShift - platform and networking options

F5 BIG-IP deployment with OpenShift - multi-cluster architectures