clientssl profile with ECC certificate needs RSA Certificate
Hello guys, Hope you could support me in the following matther. I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2. Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it: Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates. How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show? Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps? I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate. Thanks in advance for your help. Best regards
Proxy SSL and ECC ciphers
So I know that currently Proxy SSL does not support anything other than RSA key exchanges. I don't know if anyone had found any other way to do certificate authentication on the web server while still maintaining ASM inspection. I have an application where we have been restricting it down to RSA key exchanges only in order to use Proxy SSL so that the client cert could still pass to the web server but we could keep ASM inspection of the content. Now we have an issue where we need to turn on ECC ciphers, which will break Proxy SSL inspection and possibly force us to completely bypass ASM inspection. I would prefer not to bypass ASM but not seeing a way around it right now. Any help would be appreciated. Thanks.
Can't create Client SSL profile with self signed ECC certificate.
Hi! I'm trying to create Client SSL Profile with self signed ECC certificate as described below: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-1/11.html First I created ECC self signed certificate and it works well, then I'm trying to create Client SSL profile using that certificate and on this point it do not works and I'm getting following error: 010717e3:3: Client SSL profile must have RSA certificate/key pair. Please help. Thank you!Secp521r1 curve support in Big IP
Hi, We are running Big IP Version 12.1.5 and are interested in transitioning to secp521r1 for extra security in both ECDH and ECDSA. Are you planning on supporting this curve? if so, do you have an estimate? Thank you, John J. Lee | Senior Information Security ConsultantECC Ciphers in 11.4.1
I am having some trouble getting ECDHE ciphers to function. I am running 11.4.1 and have tried multiple cipher strings in the SSL profile, but I can't seem to get them to appear when I scan the VIP. I always seem to get the AES-128-SHA and AES-256-SHA Right now in prod I am running this on most of my servers. DEFAULT:!SSLv3:!RC4@STRENGTH I tried adding the cipher suite but that didn't do anything DEFAULT:ECDHE+AES:!SSLv3:!RC4@STRENGTH I also tried doing something a little more complex. However that didn't really change anything either. NATIVE:!MD5:!EXPORT:!3DES:!DES:!DHE:!SSLv3:!SSLv2@STRENGTH The documentation says that ECC ciphers were available starting in 11.4.0. Any help would be appreciated.