Bug ID 738455: TLS1.2 and earlier 'do not advertise' signature algorithm RSA-PSS

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
14.1.0

Opened: Jul 26, 2018

Severity: 3-Major

Symptoms

'Do not advertise' support for RSA-PSS signature algorithms in TLS1.2 and earlier versions. This is advertised by the default cipher group.

Impact

No support for 'Do not advertise.' Possible handshake failure with unsupported signature algorithm.

Conditions

-- TLS1.2 and earlier. -- Attempting to use 'Do not advertise.'

Workaround

Use a cipher group with RSA-PSS removed from the signature algorithms. Switch to using the cipher string from cipher groups.

Fix Information

There is now 'Do not advertise' support for RSA-PSS signature algorithms in TLS1.2 and earlier versions.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips