Forum Discussion
Stephen_Archer_
Oct 28, 2011Historic F5 Account
SHA2 / SHA256 certificates
I have a customer that wants to use SHA2 / SHA256 certificates on their website (fronted by LTM), however clients such as Windows XP SP2 are unable to verify such certificates. The customer would lik...
Kurt_Knochner_5
Oct 30, 2011Cirrus
@Stephen:
If the client does not offer the cipher you want to see, you cannot assume anything. The client might have good reasons not to offer SHA256.
So, you still have only those options I described. I would suggest option 2. In your example, the client MIGHT be able to handle SHA256, but you don't know, as it did not indicate that by offering the right cipher. If you answer with SHA256, and the client is not able to handle it, you will create an ssl handshake error and you have no chance at all to tell the client to try again with a different cipher set.
So, in your example, the remaining option is to use a "weak" ssl client profile for that request, redirect the client to an error page and tell it to upgrade or change the configuration/cipher set.
Regards
Kurt Knochner
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects