Bug ID 632968: supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6

Fixed In:
13.0.0, 12.1.3.7

Opened: Dec 10, 2016
Severity: 3-Major
Related AskF5 Article:
K46042053

Symptoms

Clients are unable to establish an SSL session. If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the server SSL profile responds with Certificate and Certificate Verify containing a signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'. Because the backend server does not expect SHA1, the handshake fails. If the BIG-IP server SSL profile advanced configuration setting for SSL sign hash is set to SHA-256 (and not ANY), the handshake fails with the following error: Connection error: ssl_hs_rsaprivenc:8528: no shared hash algorithm (40).

Impact

BIG-IP systems sign the TLS handshake with the SHA1 algorithm, which fails on the server. Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g., 'SHA1 in X.509 certificates'.

Conditions

* BIG-IP system is communicating with a TLS server (applies to server SSL profiles). * TLS server is requesting client authentication (this is less common). * TLS client is using the supported_signature_algorithms extension (this is very common) * TLS 1.2 is likely needed. TLS 1.0 does not support extensions. * SSL sign hash for the server SSL profile is set to either 'any' or 'sha-256'.

Workaround

No mitigation is known.

Fix Information

BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.: SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>. This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.

Behavior Change