Forum Discussion

Stephen_Archer_'s avatar
Stephen_Archer_
Historic F5 Account
Oct 28, 2011

SHA2 / SHA256 certificates

I have a customer that wants to use SHA2 / SHA256 certificates on their website (fronted by LTM), however clients such as Windows XP SP2 are unable to verify such certificates. The customer would lik...
application delivery
dev
devops
iRules
Kurt_Knochner_5's avatar
Kurt_Knochner_5
Icon for Cirrus rankCirrus
Oct 30, 2011
@Stephen:

 

 

If the client does not offer the cipher you want to see, you cannot assume anything. The client might have good reasons not to offer SHA256.

 

 

So, you still have only those options I described. I would suggest option 2. In your example, the client MIGHT be able to handle SHA256, but you don't know, as it did not indicate that by offering the right cipher. If you answer with SHA256, and the client is not able to handle it, you will create an ssl handshake error and you have no chance at all to tell the client to try again with a different cipher set.

 

 

So, in your example, the remaining option is to use a "weak" ssl client profile for that request, redirect the client to an error page and tell it to upgrade or change the configuration/cipher set.

 

 

Regards

 

Kurt Knochner