Forum Discussion
Stephen_Archer_
Oct 28, 2011Historic F5 Account
SHA2 / SHA256 certificates
I have a customer that wants to use SHA2 / SHA256 certificates on their website (fronted by LTM), however clients such as Windows XP SP2 are unable to verify such certificates. The customer would lik...
Kurt_Knochner_5
Oct 31, 2011Cirrus
> as i read through it again, i think he is asking about sha2/sha256 certificate i.e. not sha2/sha256 cipher suite.
good point!!
If that's the case, I see only one way to figure out if a client supports that or not, because that's just a feature of the browser and not related to SSL/TLS.
Let all clients connect to a VS with a SHA1 cert. Check the User-Agent string. If it's a "decent" browser (you know it supports SHA256 certs), redirect it to a different VS with a SHA256 cert, otherwise just balance the request or send an error message.
BTW: If you don't want to redirect the newer clients to a different VS, just remember the client IP in a session table (table command). Then redirect the client to the same VS. If the request comes in, check if the IP address is available in the session table. If yes, you know it supports SHA256. Then use a different ssl client profile, with the SHA256 cert (SSL::profile).
WARNING: This does not work properly, if the users are connecting through a proxy (same ip, different browser) or if they work from a terminal server, though chances are good that they use the same browser on the terminal server.
@Stephen: how does that sound to you?
Regards
Kurt Knochner
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects