Forum Discussion

Cirrus

Jul 29, 2014

SSL connection error, client certificate validation issue - RSASSA-PSS signature algorithm support?

2-way SSL VIP with client certificate "required", we are getting SSL connection errors. The LTM log contains: SSL Handshake failed for TCP from 10.20.15.156:57757 to 172.20.104.11:443 The CA ch...

Cirrus

Dec 30, 2014

I was hoping to come back and confirm that 11.5 handles RSASSA-PSS, Kevin, but unfortunately I didn't have a chance - before we upgraded to 11.5.1, we had to rebuild our CA chain (and reissue certs across the board) using sha256, because of other devices (Cisco ISEs, etc.) that clearly documented that they wouldn't handle RSASSA-PSS. If anyone reading this knows for sure that RSASSA-PSS is supported at 11.5 or later, pls confirm so!

boneyard
MVP
Jan 14, 2015
i wouldn't mind checking but i seem unable to generate such a certificate with openssl or xca, if you can provide me one or explain how to create it i can have a look.
daboochmeister
Cirrus
Jan 14, 2015
Sorry, boneyard, appreciate it, but we tore down our CA that used RSASSA-PSS ... apparently, a Windows CA burns in the algorithm to be used and you can't change it from the default request by request (which seems weird to me, but that's what I'm being told).
candc
Cirrus
Jul 18, 2016
Still definitely an issue for me on 12.0.0
boneyard
MVP
Jul 18, 2016
can you guide me in how to create such a certificate candcgroup, it like to give it a try.