For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_Varela's avatar
Daniel_Varela
Icon for Employee rankEmployee
Jan 05, 2018

ECDSA only clientssl profiles

Hi,   Does someone know if it is planned to support clientssl profiles with only ECDSA keys? I think is not useful to require RSA keys as pretty much any modern browser support these type o keys ...
application delivery
ciphers
clientssl
ecdsa
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jan 08, 2018

If I recall, there's an actual mechanical reason why the F5 minimally requires an RSA cert/key, but I don't remember the details.

 

In any case, it's reasonably straightforward to work around this:

 

  • Define your EC cert/key in the client SSL profile
  • Also define a generic RSA cert/key (the built-in Default will do)
  • Modify the Ciphers list so that only ECDHE_ECDSA is allowed (ex. ECDHE_ECDSA)

The F5 will choose the server certificate to present based on the handshake algorithm selected, so in this case you must force it to use ECDSA. And since you're only allowing ECDSA based on the cipher string, only the EC cert/key will ever be used (and any client that doesn't support ECDSA will naturally fail).