Forum Discussion
jmanya_44531
Nimbostratus
Nimbostratusclientssl profile with ECC certificate needs RSA Certificate
Hello guys,
Hope you could support me in the following matther.
I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box ...
Greetings, It looks like at least one RSA cert & key is required. You could try preferring ECC, instead of only using (as above) with:
ECDH_ECDSA:DEFAULT
I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake.
Kevin
jmanya_44531Hi Kevin, thanks a lot for your answer.
You said "I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake." Since RSA has been widely used in the industry, it is supposed that the client's preference will be to use the RSA certificate instead of the ECC one. So, how could I force the usage of the ECC no matter the preferences of the browser. I have tried installing the ECC in a Apache and it works fine, but LTM needs an RSA+ECC which makes my deployment more difficult.
Thanks in advance.
Regards
Jorge
Hi Jorge, The server chooses the cipher suite. So if the client prefers RSA, but supports ECC, BIG-IP will still choose the ECC certificate based on:
ECDH_ECDSA:DEFAULT
Kevin
- jmanya_44531
Hi Kevin,
I really appreciate your help.
How could I combine the ECDH_ECDSA:DEFAULT cipher with a customized one I have which is NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED ?
Thanks
Hi, you're very welcome. You can just add the ECDH_ECDSA cipher string to the beginning of your current cipher configuration:
ECDH_ECDSA:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED
Kevin