Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Jul 04, 2024

Relation between Cipher-Suite and Key-type of server certificate

I must noticed/learned these days, that specific allowed ciphers are useless if they are not matching with the key-type of the server-certificate from the clientSSL profile.
I think it's not unusual that most server-certificate will still be generated with RSA 2k or 4k key-type. And those (older) certificates, which are already renewed a couple of times with the same key have even a higher chance to be a RSA type.
But with this for example only the following two ciphers could be selected:

  • ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
  • ECDHE-RSA-AES256-GCM-SHA384/TLS1.2

If a client for example only supports the following two ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
  • ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2

Neither of these two will be choose, even if they are allowed/provided in the cipher-rule configuration of the BIG-IP. Is this really the case or are there any other dependencies, which are responsible for the „No shared ciphers between SSL peers“ log entry? I'm wondering, because I've never read about that in any of the tons of cipher documents and articles, I've read so far.

=> So can please someone share some detailed information about this relation?

And if this behavior is true, does it makes sense and is it technical possible to create two different clientSSL profiles, one with a RSA-key and the other with a ECDSA-key and assign both to the VIP? Can the BIG-IP handle this and will choose the correct certificate/profile depending on the provided cipher-list from the client?

Thank you!
Regards Stefan :)