Bug ID 512905: RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8

Fixed In:
12.0.0, 11.6.1, 11.5.4 HF2

Opened: Mar 17, 2015
Severity: 4-Minor

Symptoms

RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Impact

When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.

Conditions

The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.

Workaround

Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.

Fix Information

An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.

Behavior Change