SSL length key

romolo82 · ‎06-Jul-2023

Hi,

a client is trying to reach a VS on BIG-IP system with a SSL key.

That key is regularly trusted on the load balancer and its CA root and intermediate too, ma load balancer refused the communication. The response, captured via network trace, is only "handshake failure".

Now, that SSL key has a size of 8192, and at this link: https://my.f5.com/manage/s/article/K01474701 I can see that only 4096 or 2048 are supported.

Anyone knows a workaround for this issue?

Thanks a lot

Paulius · ‎06-Jul-2023

@romolo82 This is a hard restriction from my understanding and that's a fairly recent article update so I do not see this being supported in the near future. I would even try not to use 4096 keys because I believe that still reduces your SSL transactions by half compared to 2048 keys.

View solution in original post

Paulius · ‎06-Jul-2023

@romolo82 This is a hard restriction from my understanding and that's a fairly recent article update so I do not see this being supported in the near future. I would even try not to use 4096 keys because I believe that still reduces your SSL transactions by half compared to 2048 keys.

whisperer · ‎06-Jul-2023

Use 2048 keys.

If something more exotic is needed... pass it through and have the backend server check/verify instead.

romolo82 · ‎06-Jul-2023

Unfortunately it's a company's policy have SSL termination on the LB... I believe that using 2048 key is the only possibility.

DevCentral

SSL length key

Sep 26th, 2023
MFA required on DevCentral

DevCentral

SSL length key

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral