Forum Discussion
clientssl profile with ECC certificate needs RSA Certificate
Hello guys,
Hope you could support me in the following matther.
I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2.
Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it:
Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates.
How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show?
Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps?
I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate.
Thanks in advance for your help.
Best regards
- masterdeadNimbostratus
Try to allow ECDHE_ECDSA cipher for SSL profile.
- Kevin_K_51432Historic F5 Account
Greetings, It looks like at least one RSA cert & key is required. You could try preferring ECC, instead of only using (as above) with:
ECDH_ECDSA:DEFAULT
I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake.
Kevin
- jmanya_44531Nimbostratus
Hi Kevin, thanks a lot for your answer.
You said "I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake." Since RSA has been widely used in the industry, it is supposed that the client's preference will be to use the RSA certificate instead of the ECC one. So, how could I force the usage of the ECC no matter the preferences of the browser. I have tried installing the ECC in a Apache and it works fine, but LTM needs an RSA+ECC which makes my deployment more difficult.
Thanks in advance.
Regards
Jorge
- Kevin_K_51432Historic F5 Account
Hi Jorge, The server chooses the cipher suite. So if the client prefers RSA, but supports ECC, BIG-IP will still choose the ECC certificate based on:
ECDH_ECDSA:DEFAULT
Kevin
- jmanya_44531Nimbostratus
Hi Kevin,
I really appreciate your help.
How could I combine the ECDH_ECDSA:DEFAULT cipher with a customized one I have which is NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED ?
Thanks
- arpydaysNimbostratus
Hi,
yes you do need both certs, ask your cert provider whether the RSA cert you have purchased has the option for ECC as well and get them to generate one otherwise you may need to buy a cert product that supports RSA & ECC and get both certs, at least this is what I did when configuring it. If you only want to allow ECC with clients then restrict the ciphers as stated by masterdead, cheers
- nice2k_353973Nimbostratus
Hi Everyone,
I am facing the same issue and adding ECDH_ECDSA to the ciphers does not seem to solve it.
We had already an RSA certificate so I just added the ECC key chain on the SSL profile, but SSLlabs always put the RSA certificate as 1 and only IE11 on win 7 and 8.1 is preferring ECC.
Here's our cipher config : ECDHE_ECDSA:DEFAULT:!DHE:!3DES:@SPEED:ECDHE
I tried without the :DEFAULT and also without the ending :ECDHE, but no success :(
Could you help me please ?
Thank you very much.
- jmanya_44531Nimbostratus
Hello nice2k:
Try adding the following in the cipher field of the SSL profile:
ECDHE_ECDSA+TLSv1_2:!MD5:!EXPORT:!DES:!SSLv2:!SSLv3:!ADH:!RC4:!DHE:!EDH:SHA1:@SPEED
It worked for me... The SSL labs gave me an A grade...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com