Forum Discussion
AltostratusECDSA certificates - do not seeem to be presented
Hello,
We have recntly got a first ECDSA certificate. When I tried to configure the SSL profile it did not let me because at least one RSA certificate must be included. We do not have one for this url so I picked the self signed one hoping that would be just a fallback for really old browsers. But when checking the URL with the browsers (Chrome and Firerefox - up to date) I only get presented the second - RSA - certificate. I am sure this is not a limitation on the Browser side, so I am wondering if the F5 bigip maybe does not present it. The question is why? I was thinking that maybe the cipher suites that go along in the SSL profile are not all compatible with the ECDSA certificate, but there are several that should be. The documentation (https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-0-0/8.html) does not secify anything else (I am actually running 12 but should not make a big difference. Any ideas?
Regards
Carol
Hi Carol,
I suspect this is to do with your cipher group/string though we haven't been using these key exchanges yet. The article you provided states use 'ECDHE' but this will include all suites using RSA key exchange. For example:
# tmm --clientciphers 'ECDHE'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
4: 49171 ECDHE-RSA-AES128-CBC-SHA 128 DTLS1 AES SHA ECDHE_RSA
5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
6: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
9: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
10: 49172 ECDHE-RSA-AES256-CBC-SHA 256 DTLS1 AES SHA ECDHE_RSA
11: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
12: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 DES SHA ECDHE_RSA
14: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 DES SHA ECDHE_RSA
15: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 DES SHA ECDHE_RSA
You'll need to specify 'ECDHE_ECDSA' to only offer ECDSA key exchange cipher suites. Hopefully that'll do the job.
Kind regards
Ben
Grumpy_CatCirrus
Hi Carol,
I suspect this is to do with your cipher group/string though we haven't been using these key exchanges yet. The article you provided states use 'ECDHE' but this will include all suites using RSA key exchange. For example:
# tmm --clientciphers 'ECDHE'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
4: 49171 ECDHE-RSA-AES128-CBC-SHA 128 DTLS1 AES SHA ECDHE_RSA
5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
6: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
9: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
10: 49172 ECDHE-RSA-AES256-CBC-SHA 256 DTLS1 AES SHA ECDHE_RSA
11: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_RSA
12: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 DES SHA ECDHE_RSA
14: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 DES SHA ECDHE_RSA
15: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 DES SHA ECDHE_RSA
You'll need to specify 'ECDHE_ECDSA' to only offer ECDSA key exchange cipher suites. Hopefully that'll do the job.
Kind regards
Ben
- carol
Hello. Indeed that was the issue. Now I am stuck with another one. The VIP currently has some none ECDSA servers and I cannot mix the SSL profiles. So I tried to use a generic VIP and target the final VIP using a policy (https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348) to get the traffic to the right server but it fails so far (in fact some of my colleagues did try VIP targeting in the past and failed but we never looked into it deeper). To be continued :-). Thank you!