For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Apr 21, 2016

Regarding signature algorithm

Hi All,

 

We are seeing issue where when we are sending TLSv1.2 to server (i.e. serverssl profile present) it is dropping the connection. When I am sending TLSv1 then connection is successful. My client did debugging at server and found when TLSv1.2 we are presenting to server it should also present signature_algorithm as SHA2. And asking us to enable that. I am pretty sure we can't enable such config on serverssl or any where on LTM. But still needed your suggestion on how to proceed? Can this be done at LTM?

 

I am attaching screenshot of client hello where it is showing signature algorithm.

 

Thanks

 

application delivery
LTM

7 Replies

  • Valentine_96813's avatar
    Valentine_96813
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2016
    Try this sol. I think this is what you need to know. https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15194.html
  • Amit585731's avatar
    Amit585731
    Icon for Nimbostratus rankNimbostratus
    Apr 24, 2016
    Hi Valentine, Thanks for suggestion but I tried all cipher in server-ssl including TLCv1.2+SHA256 but it didn't worked. In order to make this work I tried adding cert and key with same signer present at server at server-ssl but that as well didn't helped. Please suggest is there a way we can make this work. Thanks.
  • Minn_62043's avatar
    Minn_62043
    Icon for Cirrostratus rankCirrostratus
    Apr 25, 2016

    According to RFC5246, signature_algorithm is not strictly required. Anyway, from the screenshot I couldn't see the Data part in "signature_algorithm". There is 32 byte Data in signature_algorithm. If you click that row, you will see some details, and they should describe the list of hash and signature algorithms supported by F5. You can verify if the list contains the pair with SHA256.

     

    What is really the server's requirement? Client must use SHA-2 and include the ability in signature_algorithm extension?

     

    • Amit585731's avatar
      Amit585731
      Icon for Nimbostratus rankNimbostratus
      Apr 26, 2016
      Minn, Since by adding signature_algorithm it starts to work so I think that is the issue here. Any suggestion hot to enable this on LB?
    • Amit585731's avatar
      Amit585731
      Icon for Nimbostratus rankNimbostratus
      May 19, 2016
      Hi Minn, sorry for late comment. Yeah I can see 32 byte data field and it shows sha2 n sha1 as well. Can you please suggest how this can be enabled on 11.6 and 11.4. From some forum I found that this is enabled by default in 11.6 and to enable on 11.4 we need to work with irule. But on none of code I am unable to figure out how to proceed. Thanks