For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

carol's avatar
carol
Icon for Altostratus rankAltostratus
Feb 24, 2020
Solved

ECDSA certificates - do not seeem to be presented

Hello,   We have recntly got a first ECDSA certificate. When I tried to configure the SSL profile it did not let me because at least one RSA certificate must be included. We do not have one for t...
application delivery
BIG-IP
LTM
  • Grumpy_Cat's avatar
    Grumpy_Cat
    Feb 24, 2020

    Hi Carol,

     

    I suspect this is to do with your cipher group/string though we haven't been using these key exchanges yet. The article you provided states use 'ECDHE' but this will include all suites using RSA key exchange. For example:

    # tmm --clientciphers 'ECDHE'    

        ID SUITE              BITS PROT  CIPHER       MAC   KEYX

     0: 49199 ECDHE-RSA-AES128-GCM-SHA256   128 TLS1.2 AES-GCM       SHA256 ECDHE_RSA 

     1: 49171 ECDHE-RSA-AES128-CBC-SHA     128 TLS1  AES         SHA   ECDHE_RSA 

     2: 49171 ECDHE-RSA-AES128-CBC-SHA     128 TLS1.1 AES         SHA   ECDHE_RSA 

     3: 49171 ECDHE-RSA-AES128-CBC-SHA     128 TLS1.2 AES         SHA   ECDHE_RSA 

     4: 49171 ECDHE-RSA-AES128-CBC-SHA     128 DTLS1 AES         SHA   ECDHE_RSA 

     5: 49191 ECDHE-RSA-AES128-SHA256     128 TLS1.2 AES         SHA256 ECDHE_RSA 

     6: 49200 ECDHE-RSA-AES256-GCM-SHA384   256 TLS1.2 AES-GCM       SHA384 ECDHE_RSA 

     7: 49172 ECDHE-RSA-AES256-CBC-SHA     256 TLS1  AES         SHA   ECDHE_RSA 

     8: 49172 ECDHE-RSA-AES256-CBC-SHA     256 TLS1.1 AES         SHA   ECDHE_RSA 

     9: 49172 ECDHE-RSA-AES256-CBC-SHA     256 TLS1.2 AES         SHA   ECDHE_RSA 

    10: 49172 ECDHE-RSA-AES256-CBC-SHA     256 DTLS1 AES         SHA   ECDHE_RSA 

    11: 49192 ECDHE-RSA-AES256-SHA384     256 TLS1.2 AES         SHA384 ECDHE_RSA 

    12: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256  256 TLS1.2 CHACHA20-POLY1305  NULL  ECDHE_RSA 

    13: 49170 ECDHE-RSA-DES-CBC3-SHA      168 TLS1  DES         SHA   ECDHE_RSA 

    14: 49170 ECDHE-RSA-DES-CBC3-SHA      168 TLS1.1 DES         SHA   ECDHE_RSA 

    15: 49170 ECDHE-RSA-DES-CBC3-SHA      168 TLS1.2 DES         SHA   ECDHE_RSA 

     

    You'll need to specify 'ECDHE_ECDSA' to only offer ECDSA key exchange cipher suites. Hopefully that'll do the job.

     

    Kind regards

    Ben

carol's avatar
carol
Icon for Altostratus rankAltostratus
Feb 26, 2020

Hello. Indeed that was the issue. Now I am stuck with another one. The VIP currently has some none ECDSA servers and I cannot mix the SSL profiles. So I tried to use a generic VIP and target the final VIP using a policy (https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348) to get the traffic to the right server but it fails so far (in fact some of my colleagues did try VIP targeting in the past and failed but we never looked into it deeper). To be continued :-). Thank you!