For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Apr 21, 2016

Regarding signature algorithm

Hi All,   We are seeing issue where when we are sending TLSv1.2 to server (i.e. serverssl profile present) it is dropping the connection. When I am sending TLSv1 then connection is successful. My ...
application delivery
LTM
Minn_62043's avatar
Minn_62043
Icon for Cirrostratus rankCirrostratus
Apr 25, 2016

According to RFC5246, signature_algorithm is not strictly required. Anyway, from the screenshot I couldn't see the Data part in "signature_algorithm". There is 32 byte Data in signature_algorithm. If you click that row, you will see some details, and they should describe the list of hash and signature algorithms supported by F5. You can verify if the list contains the pair with SHA256.

 

What is really the server's requirement? Client must use SHA-2 and include the ability in signature_algorithm extension?

 

  • Amit585731's avatar
    Amit585731
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2016
    Minn, Since by adding signature_algorithm it starts to work so I think that is the issue here. Any suggestion hot to enable this on LB?
  • Amit585731's avatar
    Amit585731
    Icon for Nimbostratus rankNimbostratus
    May 19, 2016
    Hi Minn, sorry for late comment. Yeah I can see 32 byte data field and it shows sha2 n sha1 as well. Can you please suggest how this can be enabled on 11.6 and 11.4. From some forum I found that this is enabled by default in 11.6 and to enable on 11.4 we need to work with irule. But on none of code I am unable to figure out how to proceed. Thanks