SHA2 / SHA256 certificates

> as i read through it again, i think he is asking about sha2/sha256 certificate i.e. not sha2/sha256 cipher suite.

 

 

good point!!

 

 

If that's the case, I see only one way to figure out if a client supports that or not, because that's just a feature of the browser and not related to SSL/TLS.

 

 

Let all clients connect to a VS with a SHA1 cert. Check the User-Agent string. If it's a "decent" browser (you know it supports SHA256 certs), redirect it to a different VS with a SHA256 cert, otherwise just balance the request or send an error message.

 

 

BTW: If you don't want to redirect the newer clients to a different VS, just remember the client IP in a session table (table command). Then redirect the client to the same VS. If the request comes in, check if the IP address is available in the session table. If yes, you know it supports SHA256. Then use a different ssl client profile, with the SHA256 cert (SSL::profile).

 

 

WARNING: This does not work properly, if the users are connecting through a proxy (same ip, different browser) or if they work from a terminal server, though chances are good that they use the same browser on the terminal server.

 

 

@Stephen: how does that sound to you?

 

 

Regards

 

Kurt Knochner