For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ismail_319212's avatar
Ismail_319212
Icon for Nimbostratus rankNimbostratus
Jul 12, 2018

vulnerabilities

How can fix the vulnerabilities on F5 Big IP ver12.1.0 please advice me   SHA-1-based Signature in TLS/SSL Server X.509 Certificate   Weak Cryptographic Key   Thank you  
BIG-IP
devops
LTM
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Jul 12, 2018

Hi ismael,

 

The previously used Secure Hash Algorithmus SHA-1 is not regarded as totally secure anymore. Google and Microsoft decided to reject SSL certificates using SHA-1 in the future and to denote them in their browsers as „not secure".

 

You have to renew your actual cert with SHA256:

 

https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

 

  • Read the recent announcement from Google to understand how the changes will be introduced. Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016.
  • Ensure new certificate and their chains use SHA256; this is critical—if your new certificates are not guaranteed to be SHA256 then all your other efforts will be pointless. If you get this right, all SHA1 certificates that expire by the end of 2015 will be guaranteed to be ready for 2016 without further effort. It’s also necessary to check that the entire certificate chain is free of SHA1. It’s not common, but there are cases where the leaf uses SHA256 but one of the intermediates uses SHA1. Don’t worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won’t warn about them).

Let me now if you need more details