Forum Discussion

JamesE_234305's avatar
JamesE_234305
Icon for Nimbostratus rankNimbostratus
Oct 17, 2017

SSL Intercept SHA1 Certificate

I am trying to set up SSL intercept to decrypt outbound SSL for inspection. I am not doing anything fancy just a basic decryption zone between the internal and external F5. Everything works except ...
application delivery
BIG-IP
LTM
security
  • Pedro_Roure_249's avatar
    Pedro_Roure_249
    Jul 26, 2018

    I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:

     

    "configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."

     

    After I did this, the problem was solved.

     

    Thanks.

     

Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Oct 23, 2017

Greetings,

 

We usually wait to publish bug details until there's a fix or workaround. Quite a few people are running into this, so it seems best to publish the bug details early. You may be able to request an engineering hotfix for this as well if you open a case with support:

 

K11425420: SSL Forward Proxy or F5 Herculon SSL Orchestrator may sign SSL certificates using SHA1 algorithm

 

https://support.f5.com/csp/article/K11425420

 

Hope this is helpful!

 

Kevin

 

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 04, 2018

    Hi Kevin,

     

    I still have this bug in version 13.1.0.6.

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    May 04, 2018

    Hi Stanislas,

     

    That's frustrating. You'll have to open a support case to troubleshoot this. The feature has quite a few components, so it's difficult for me to say what's happening.

     

    I did a customer case query and don't see any cases after 13.0.0, which is odd (if this is still happening).

     

    Sorry I couldn't offer more help!

     

    Kevin