SHA2 / SHA256 certificates

Hey Arch,

 

 

I found this question to be very interesting so I spent some time thinking about a possible solution. It occurred to me that the issue is really a combination of OS and Browser as any browser using its own version of TLS should work fine. So Firefox or Chrome running on XP will likely work for the same reason they also support SNI on XP. So this leaves us with IE and possibly older versions of Chrome and Firefox to consider. The one thing that all of these browsers would have in common on XP is that they likely won't support SNI.

 

 

So what I think you could do is use the logic from Joels SNI iRule( http://goo.gl/ZbU8u) to determine if the browser making the request supports SNI or not. This really won't get you all the way there as from my understanding IE running on XP with SP3 will support the SHA2 certificates, but not SNI data.

 

 

So you would need to terminate the non SNI supported browsers with a weaker certificate and then present the client with a remediation page that gave them the option to click through if they confirmed that SP3 was installed on or something along those lines.

 

Obviously you would need some logic to then allow the client to pass through without SNI and don't have that fully thought out. I am sure there are some holes in my logic, but it was such an interesting question to me that I wanted to dig into other possible solutions.