sha1
2 Topicsssl_shim_vfycerterr:4539: application verification failure
Hi, after the Announcement regarding RSA vulnerability two weeks ago, we updated one of our BigIP from 11.5.3 to 12.1.2 HF2. We still have another F5 with 11.5.3 and the same application in place. Important aspects: HTTPS-VS, simple clientssl and an irule clientssl profile -> Client Authentication: set to ignore, but the Trusted CA/Advertised CA are set to a bundle (XYZ) there's an irule that checks for the URI, if it is /admin, following is done: SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate enable SSL::renegotiate there are two different types of client certificates: with SHA1 and with SHA256. cipher string on both F5s is: DEFAULT:-TLSv1_1:-TLSv1:-SSLv3:-SSLv2:-RC4:-DES:-3DES So the VS doesn't require a client-certificate by default, except for /admin. If /admin is requested, a SSL-renegotiation takes place. The client certificate is now "required", checked against XYZ bundle, and additionally checked against a data group of serial numbers. Now the issue: with v11.5.3 it worked properly for all certificates/browsers, and still works on the test-F5 since the update to v12.1.2 HF2, the SHA-1 certificates don't work any more, but SHA-256 do with IE11 it works when disabling sslv2/v3 in the options with IE11 it doesn't work with SHA1 when enabling sslv2/v3 in the options in IE11 in both cases the same Cipher Suite is used in any of the cases the client is asked to choose the certificate and enter the PIN (so the renegotiate part works) Following error occurs in LTM log: Connection error: ssl_shim_vfycerterr:4539: application verification failure (46) Does anyone have an idea where or what to check? At first I assumed different Cipher settings that have effect, because the default ciphers are different between v11/v12. But when I adapted the string to match exactly, it still didn't work. Now I assume that some other default settings in the SSL-profile or the handling of the SHA-1 certificates may have changed in some way. But the strange thing is this behavior of IE11 with sslv2/sslv3 - normally it should only change the supported ciphers of the client/browser. But in both cases the same one is used and still works. I also thought, maybe it is a browser issue (Chrome / SHA-1 support) - but since it works fine when connecting to an v11 F5, that shouldn't be the case. Thanks in advance!965Views0likes6CommentsHow to create SHA1 Digest in F5 with Code 12.1.0
Hello All What is the step to create CSR with sha1 digest with F5 version 12.1.0. Reason I am asking is my Local Certificate Server does not support SHA-2 but on the other hand my F5's Code version is 12.1.0. And F5 started supporting SHA2 from Code Version 11.5.0. Question is while being on F5 Code 12.1.0 how can I still generate CSR from CLI with SHA1 Digest ?453Views0likes6Comments