I am trying to set up SSL intercept to decrypt outbound SSL for inspection. I am not doing anything fancy just a basic decryption zone between the internal and external F5. Everything works except for certain sites like google.com the F5 is issuing a SHA1 certificate to the client instead of SHA2 which is not supported in Chrome.

I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation: "configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing." After I did this, the problem was solved. Thanks.

Hi, can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile. Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)

Hi, I am experiencing the exact same issue as JamesE, but in my case it started after an upgrade to version 13 (from 12.1.2). For some sites the f5 proxy issues a SHA-1 certificate instead of a SHA-256 certificate. I have set the "SSL Sign Hash" option to SHA256 as per your advice, but no luck. Any other advice, or should I start a case on this? //A

ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 } ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }

SSL Intercept SHA1 Certificate

15 Replies

RaghavendraSY_7
Cumulonimbus
Oct 18, 2017
Hi,

can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile.

Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)
- JamesE_234305
  Nimbostratus
  Oct 23, 2017
  ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
  
  ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
RaghavendraSY
Altostratus
Oct 18, 2017
Hi,

can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile.

Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)
- JamesE_234305
  Nimbostratus
  Oct 23, 2017
  ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
  
  ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
Ajac
Nimbostratus
Oct 23, 2017
Hi,

I am experiencing the exact same issue as JamesE, but in my case it started after an upgrade to version 13 (from 12.1.2). For some sites the f5 proxy issues a SHA-1 certificate instead of a SHA-256 certificate. I have set the "SSL Sign Hash" option to SHA256 as per your advice, but no luck.

Any other advice, or should I start a case on this?

//A
JamesE_234305
Nimbostratus
Oct 23, 2017
ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }

ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
JamesE_234305
Nimbostratus
Oct 23, 2017
I also tried using SSL Orchestrator and getting the same response. Below are some of the sites that I randomly tried and get SHA1 instead of SHA256.

trading.scottrade.com
Kevin_K_51432
Historic F5 Account
Oct 23, 2017
Greetings,

We usually wait to publish bug details until there's a fix or workaround. Quite a few people are running into this, so it seems best to publish the bug details early. You may be able to request an engineering hotfix for this as well if you open a case with support:

K11425420: SSL Forward Proxy or F5 Herculon SSL Orchestrator may sign SSL certificates using SHA1 algorithm

https://support.f5.com/csp/article/K11425420

Hope this is helpful!

Kevin
- Stanislas_Piro2
  Cumulonimbus
  May 04, 2018
  Hi Kevin,
  
  I still have this bug in version 13.1.0.6.
- Kevin_K_51432
  Historic F5 Account
  May 04, 2018
  Hi Stanislas,
  
  That's frustrating. You'll have to open a support case to troubleshoot this. The feature has quite a few components, so it's difficult for me to say what's happening.
  
  I did a customer case query and don't see any cases after 13.0.0, which is odd (if this is still happening).
  
  Sorry I couldn't offer more help!
  
  Kevin
Pedro_Roure_249
Altostratus
Jul 05, 2018
Same problem here in a deployment of APM + SWG with SSL Interception. Some certificates are generated using SHA1 and the Chrome browser (at latest version in the momment) is complaining with this error:

net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Anyone solved this issue ?
- JamesE_234305
  Nimbostratus
  Jul 06, 2018
  The issue with SHA1 certificates being issued was fixed for me in 13.1.
- boneyard
  MVP
  Jul 07, 2018
  if you aren't on 13.1 and as pointed out a few times, please also open a F5 support ticket for such issues and please report back and feedback from there.
- Pedro_Roure_249
  Altostratus
  Jul 09, 2018
  Using the following version: BIG-IP 13.1.0.7 Build 0.0.1 Point Release 7.
Pedro_Roure_249
Altostratus
Jul 26, 2018
I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:

"configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."

After I did this, the problem was solved.

Thanks.

Forum Discussion

SSL Intercept SHA1 Certificate

15 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Re: Management Certificate

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey

DNS Interception: Protecting the Client