Symptoms

Clients are unable to establish an SSL session. If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the server SSL profile responds with Certificate and Certificate Verify containing a signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'. Because the backend server does not expect SHA1, the handshake fails. If the BIG-IP server SSL profile advanced configuration setting for SSL sign hash is set to SHA-256 (and not ANY), the handshake fails with the following error: Connection error: ssl_hs_rsaprivenc:8528: no shared hash algorithm (40).

Impact

BIG-IP systems sign the TLS handshake with the SHA1 algorithm, which fails on the server. Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g., 'SHA1 in X.509 certificates'.

Conditions

* BIG-IP system is communicating with a TLS server (applies to server SSL profiles). * TLS server is requesting client authentication (this is less common). * TLS client is using the supported_signature_algorithms extension (this is very common) * TLS 1.2 is likely needed. TLS 1.0 does not support extensions. * SSL sign hash for the server SSL profile is set to either 'any' or 'sha-256'.

Workaround

No mitigation is known.

Fix Information

BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.: SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>. This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips