Forum Discussion
JamesE_234305
Nimbostratus
NimbostratusSSL Intercept SHA1 Certificate
I am trying to set up SSL intercept to decrypt outbound SSL for inspection. I am not doing anything fancy just a basic decryption zone between the internal and external F5. Everything works except for certain sites like google.com the F5 is issuing a SHA1 certificate to the client instead of SHA2 which is not supported in Chrome.
I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:
"configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."
After I did this, the problem was solved.
Thanks.
RaghavendraSY_7Cumulonimbus
Hi,
can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile.
- Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)
JamesE_234305ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
RaghavendraSYAltostratus
Hi,
can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile.
- Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)
- JamesE_234305
ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
AjacHi,
I am experiencing the exact same issue as JamesE, but in my case it started after an upgrade to version 13 (from 12.1.2). For some sites the f5 proxy issues a SHA-1 certificate instead of a SHA-256 certificate. I have set the "SSL Sign Hash" option to SHA256 as per your advice, but no luck.
Any other advice, or should I start a case on this?
//A
- JamesE_234305
ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
- JamesE_234305
I also tried using SSL Orchestrator and getting the same response. Below are some of the sites that I randomly tried and get SHA1 instead of SHA256.
trading.scottrade.com
Greetings,
We usually wait to publish bug details until there's a fix or workaround. Quite a few people are running into this, so it seems best to publish the bug details early. You may be able to request an engineering hotfix for this as well if you open a case with support:
K11425420: SSL Forward Proxy or F5 Herculon SSL Orchestrator may sign SSL certificates using SHA1 algorithm
https://support.f5.com/csp/article/K11425420
Hope this is helpful!
Kevin
- Stanislas_Piro2
Hi Kevin,
I still have this bug in version 13.1.0.6.
Hi Stanislas,
That's frustrating. You'll have to open a support case to troubleshoot this. The feature has quite a few components, so it's difficult for me to say what's happening.I did a customer case query and don't see any cases after 13.0.0, which is odd (if this is still happening).
Sorry I couldn't offer more help!
Kevin
Pedro_Roure_249Same problem here in a deployment of APM + SWG with SSL Interception. Some certificates are generated using SHA1 and the Chrome browser (at latest version in the momment) is complaining with this error:
net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Anyone solved this issue ?
- JamesE_234305
The issue with SHA1 certificates being issued was fixed for me in 13.1.
- boneyard
MVP
if you aren't on 13.1 and as pointed out a few times, please also open a F5 support ticket for such issues and please report back and feedback from there.
- Pedro_Roure_249
Using the following version: BIG-IP 13.1.0.7 Build 0.0.1 Point Release 7.
- Pedro_Roure_249
I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:
"configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."
After I did this, the problem was solved.
Thanks.