Forum Discussion

jmanya_44531's avatar
jmanya_44531
Icon for Nimbostratus rankNimbostratus
Feb 14, 2017

clientssl profile with ECC certificate needs RSA Certificate

Hello guys,

 

Hope you could support me in the following matther.

 

I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2.

 

Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it:

 

Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates.

 

How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show?

 

Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps?

 

I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate.

 

Thanks in advance for your help.

 

Best regards

 

  • Hi Everyone,

     

    I am facing the same issue and adding ECDH_ECDSA to the ciphers does not seem to solve it.

     

    We had already an RSA certificate so I just added the ECC key chain on the SSL profile, but SSLlabs always put the RSA certificate as 1 and only IE11 on win 7 and 8.1 is preferring ECC.

     

    Here's our cipher config : ECDHE_ECDSA:DEFAULT:!DHE:!3DES:@SPEED:ECDHE

     

    I tried without the :DEFAULT and also without the ending :ECDHE, but no success :(

     

    Could you help me please ?

     

    Thank you very much.

     

    • jmanya_44531's avatar
      jmanya_44531
      Icon for Nimbostratus rankNimbostratus

      Hello nice2k:

       

      Try adding the following in the cipher field of the SSL profile:

       

      ECDHE_ECDSA+TLSv1_2:!MD5:!EXPORT:!DES:!SSLv2:!SSLv3:!ADH:!RC4:!DHE:!EDH:SHA1:@SPEED

       

      It worked for me... The SSL labs gave me an A grade...

       

  • Hi,

     

    yes you do need both certs, ask your cert provider whether the RSA cert you have purchased has the option for ECC as well and get them to generate one otherwise you may need to buy a cert product that supports RSA & ECC and get both certs, at least this is what I did when configuring it. If you only want to allow ECC with clients then restrict the ciphers as stated by masterdead, cheers

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    Greetings, It looks like at least one RSA cert & key is required. You could try preferring ECC, instead of only using (as above) with:

     

    ECDH_ECDSA:DEFAULT

     

    I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake.

     

    Kevin

     

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account

      Hi, you're very welcome. You can just add the ECDH_ECDSA cipher string to the beginning of your current cipher configuration:

       

      ECDH_ECDSA:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED

       

      Kevin

       

    • jmanya_44531's avatar
      jmanya_44531
      Icon for Nimbostratus rankNimbostratus

      Hi Kevin,

       

      I really appreciate your help.

       

      How could I combine the ECDH_ECDSA:DEFAULT cipher with a customized one I have which is NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED ?

       

      Thanks

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account

      Hi Jorge, The server chooses the cipher suite. So if the client prefers RSA, but supports ECC, BIG-IP will still choose the ECC certificate based on:

       

      ECDH_ECDSA:DEFAULT

       

      Kevin