Forum Discussion

kridsana_52318's avatar
kridsana_52318
Icon for Nimbostratus rankNimbostratus
Apr 24, 2015

F5 dual-certificate deployment to fix SHA-1 Deprecate issue

Hi

 

From this information SHA-1 Deprecate >> link from qualys

 

My customer sha-1 certificate is mark as insecure already. (He using APM and certificate expire on 2018)

 

If we renew certificate to SHA-256, older client can't do the job so Can F5 perform dual-certificate deployment?

 

If newer user using chrome access to APM >> APM use certificate SHA256

 

If older user using chrome access to APM >> APM use certificate SHA-1 (of course it's mark as insecure but we can't do something about this to make older user can work)

 

Right now using APM 11.4.1 lastest HF

 

Thank you

 

  • So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile.

     

    And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?

     

    you have to create another key pair which is not rsa (because current one is rsa) such as ecdsa, then get its csr signed by ca. add them to clientssl profile and adjust cipher string if needed (i.e. some cipher suite uses rsa certificate with sha1 and some uses ecdsa certificate with sha256).

     

  • i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.

    Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)
    
    Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
    Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.
    

    sol15062: Associating multiple SSL certificate/key pair types with an SSL profile

    https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile . And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?
  • i do see ivan mentioned apache uses two key types to support sha1 and sha256. can you also do that? it is supported since 11.5.0.

    Ivan Ristic Oct 20, 2014 1:48 AM (in response to BRYAN S.G.)
    
    Bryan, here are two pages from my book, Bulletproof SSL and TLS, that show how to use multiple keys with Apache: http://blog.ivanristic.com/downloads/bulletproof-ssl-and-tls_configuring-multiple-keys.pdf
    Because this feature wasn't intended to be used to with around SHA1 issues, you can't have two RSA certificates, one with SHA1 and the other with SHA256. So you'd have to use RSA/SHA1 and ECDSA/SHA256.
    

    sol15062: Associating multiple SSL certificate/key pair types with an SSL profile

    https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus
      So I need to add new certificate/key pair which use SHA256 in Key exchange mechanism into Client SSL profile . And change cipher suit to ex. DEFAULT:SHA256 , something like that, Am I right?
  • Can I just insert two SSL client profile in the Virtual server of APM ?

     

    Or use irule to select SSL profile ? << (this method may be not work due to certificate hello is the first of SSL handshake and not sure F5 can customize or inspect that)

     

    Thank you