SHA-2 issues in client SSL profile

Question

Hello,&nbsp;
I am into an issue where I apply SHA-2 certificate in the client profile the SSL session doesn't complete and webpage doesn't open. But it works fine with SHA-1 certificate. We are running 11.4 software version, I believe it is supporting sha-2 cipher. This might be a browser compatibility issue. Has someone faced similar problem before ?&nbsp;
As per NIST regulations:
For SSL Certificates expiring before December 31, 2016, you can still use SHA-1 to generate your SSL Certificate. However, when ordering or renewing any SSL Certificate that expires after December 31, 2016, SHA-2 is automatically selected by default.&nbsp;
Regards,
Akhtar&nbsp;

naveen_j_145178 · Answer

Hi Akhtar,&nbsp;
The issue is with OS or Browser.
clients such as Windows XP SP2 are unable to verify such certificates.
one way to figure out is:
Let client connect to a VS with a SHA1 cert. Check the User-Agent string. If it's a good  browser (it supports SHA256 cert), redirect it to a different VS with a SHA256 cert, otherwise just balance the request or send an error message.&nbsp;
This does not work properly, if the users are connecting through a proxy.&nbsp;
So i suggest to determine if the browser making the request supports or not.As far i know,IE running on XP with SP3 will support the SHA2 certificates(not SNI data).&nbsp;
So you would need to terminate the non  supported browsers with a weaker certificate and then present the client with an alternate page that gave the option to click through if they confirmed that SP3 was installed on or something along those lines. &nbsp;

narendren_s · Answer

Hi,&nbsp;
Please share the output of below command from TMSH.&nbsp;
show running-config ltm profile client-ssl &nbsp;

ccna55_14039 · Answer

Was this ever answered?&nbsp;
We have the same issue with a New SHA2 Cert and IIS does not work when we have the same Sha2 cert in Client/Server SSL profile and also on the Server.&nbsp;
If we put the old Sha1 cert on server and use the NEW/OLD Cert sha1 or sha2 or anything else on the LTM's it will work fine, However when we use the same SHA2 cert thru-out the session this connection does not work.
And yes we have Vendor engaged and at this time they also cannot figure it out.
This is confirmed with Chrome/FF31&nbsp;
We have many other VIP's using the SHA2 cert without issue, So this one is very odd, When we do a passthru, No ssl bridging / offloading for this site all works fine and opens with the SHA2 cert.It just when we use the same cert thru-out the connection while ssl bridging the connection (Client/Server SSL profile and also on the Server) it fails.
Also note in our testing it does appear the Handshake between Client/LTM seems ok, It appears to break between Server ssl profile and Webserver.&nbsp;
LTM Version 11.4.1 HF7 Server = Microsoft-IIS/8.5&nbsp;
Thanks,&nbsp;
ccna55&nbsp;

ccna55_14039 · Answer

FYI..after further research disabling tls1.2 on server side ssl profile fix this issue.&nbsp;
Now we need to understand why LTM did not negotiate lower TLS version if it need to do this.
Same cipher should work for tls1.2 and or tls1.1
This is what i see using 
i don't have access as of now to use openssl and specify tls1.1 or tls1.2 only working on that.&nbsp;
openssl s_client -connect x.x.x.x
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA&nbsp;
Thanks,
ccna55&nbsp;

Forum Discussion

SHA-2 issues in client SSL profile

4 Replies

Recent Discussions

monitor a pool that consists of Linux Squid Servers

Reliable resources for identifying IP addresses

VPN fragmented IP packets dropped

Reset cause

snmp automatic stop mail send

Related Content

Client SSL Profile

Regex issue

SSL Profiles

Server Profile SNI

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server