Bug ID 512905: RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Last Modified: Jan 16, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.1, 11.5.4 HF2

Opened: Mar 17, 2015

Severity: 4-Minor

Symptoms

RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Impact

When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.

Conditions

The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.

Workaround

Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.

Fix Information

An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips