Forum Discussion
SSL Intercept SHA1 Certificate
- Jul 26, 2018
I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:
"configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."
After I did this, the problem was solved.
Thanks.
Hi,
can you please post your virtual server configuration and ssl client profile configuration? You can modify below points on ssl client profile.
- Verify whether SSL sign Hash is configured as ANY if not enable it or you can configure only SHA2 ( if your requirement is only SHA2)
- JamesE_234305Oct 23, 2017Nimbostratus
ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }
ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com