Forum Discussion
Stephen_Archer_
Oct 28, 2011Historic F5 Account
SHA2 / SHA256 certificates
I have a customer that wants to use SHA2 / SHA256 certificates on their website (fronted by LTM), however clients such as Windows XP SP2 are unable to verify such certificates. The customer would like to detect these clients and redirect them to a web page providing remediation advice.
I know it's possible to detect the cipher suites supported by the client: create a client SSL profile with weak ciphers allowed, then after SSL handshake completion, check the cipher suite used. It would then be possible to redirect clients using weak ciphers to the remediation page. But... if the client is unable to validate the SHA2 certificate, the SSL handshake will never complete.
The next option would be to binary scan the TCP::payload on the 'client hello' and check the presented cipher suites... however, I don't think that the list of cipher suites presented by the client tells us whether the client is able to validate a SHA2 certificate, or not. i.e. it may be possible that a client that does NOT list SHA2 / SHA256 in the list of supported cipher suites, but is still actually able to verify a SHA2 certificate.
So my question is, do I understand this issue correctly, and if I do, has anyone thought of a way to overcome it?
Thanks in advance!
- I know it's possible to detect the cipher suites supported by the client: create a client SSL profile with weak ciphers allowed, then after SSL handshake completion, check the cipher suite used. It would then be possible to redirect clients using weak ciphers to the remediation page. But... if the client is unable to validate the SHA2 certificate, the SSL handshake will never complete.
- Stephen_Archer_Historic F5 AccountHi Kurt, I appreciate the reply, but unfortunately I don't think either option will work. I've done a bit more investigation since my first post - and to confirm my thoughts, I ran a quick (successful) test to an SSL site with SHA2 cert... the Client Hello contains the following Cipher Suites (36 suites) presented by my browser:
- nitassEmployeei understand sha2 is not an option in cipher suite of ssl2.0, ssl3.0, tls1.0.
- @Stephen:
- Posted By nitass on 10/30/2011 08:02 AM
- nitassEmployeethanks Kurt. i think we might misunderstand Stephen's question a bit.
- > as i read through it again, i think he is asking about sha2/sha256 certificate i.e. not sha2/sha256 cipher suite.
- nitassEmployeei feel SHA2 certificate is OS thing rather than browser one.
- Stephen_Archer_Historic F5 AccountThanks Kurt and Nitass... appreciate your comments. Agree that OS is responsible. Don't think there is a cool way out of this one.
> i feel SHA2 certificate is OS thing rather than browser one.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects