Forum Discussion

romolo82's avatar
romolo82
Icon for Cirrus rankCirrus
Jul 06, 2023

SSL length key

Hi,

a client is trying to reach a VS on BIG-IP system with a SSL key.

That key is regularly trusted on the load balancer and its CA root and intermediate too, ma load balancer refused the communication. The response, captured via network trace, is only "handshake failure".

Now, that SSL key has a size of 8192, and at this link: https://my.f5.com/manage/s/article/K01474701 I can see that only 4096 or 2048 are supported.

Anyone knows a workaround for this issue?

Thanks a lot

  • romolo82 This is a hard restriction from my understanding and that's a fairly recent article update so I do not see this being supported in the near future. I would even try not to use 4096 keys because I believe that still reduces your SSL transactions by half compared to 2048 keys.

  • romolo82 This is a hard restriction from my understanding and that's a fairly recent article update so I do not see this being supported in the near future. I would even try not to use 4096 keys because I believe that still reduces your SSL transactions by half compared to 2048 keys.

  • Use 2048 keys.

    If something more exotic is needed... pass it through and have the backend server check/verify instead.

     

    • romolo82's avatar
      romolo82
      Icon for Cirrus rankCirrus

      Unfortunately it's a company's policy have SSL termination on the LB... I believe that using 2048 key is the only possibility.