Forum Discussion

Historic F5 Account

Oct 28, 2011

SHA2 / SHA256 certificates

I have a customer that wants to use SHA2 / SHA256 certificates on their website (fronted by LTM), however clients such as Windows XP SP2 are unable to verify such certificates. The customer would lik...

Cirrus

Oct 30, 2011

@Stephen:

If the client does not offer the cipher you want to see, you cannot assume anything. The client might have good reasons not to offer SHA256.

So, you still have only those options I described. I would suggest option 2. In your example, the client MIGHT be able to handle SHA256, but you don't know, as it did not indicate that by offering the right cipher. If you answer with SHA256, and the client is not able to handle it, you will create an ssl handshake error and you have no chance at all to tell the client to try again with a different cipher set.

So, in your example, the remaining option is to use a "weak" ssl client profile for that request, redirect the client to an error page and tell it to upgrade or change the configuration/cipher set.

Regards

Kurt Knochner

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SHA2 / SHA256 certificates

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

use irule to sign data using sha256

Automate Let's Encrypt Certificates on BIG-IP

Automating NGINX Certificate Rotation on AWS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS