This section describes the steps to configure signature algorithm.
The SSL client uses the signature_algorithms extension to indicate to the server which signature/ hash algorithm pairs must be used in digital signatures.
The extension_data field of this extension contains a supported_signature_algorithms value.
Supported Hash Algorithms:
md(5)
sha1(2)
sha224(3)
sha256(4)
sha384(5)
sha512(6)
Supported Signature Algorithms:
rsa
dsa
ecdsa
In Avi Load Balancer, the signature algorithms set by a client are used directly in the supported signature algorithm in the client hello message.
The supported signature algorithms set by a server are not sent to the client but are used to determine the set of shared signature algorithms and their order.
The client authentication signature algorithms set by a server are sent in a certificate request message if client authentication is enabled. Otherwise, they are unused. Similarly, client authentication signature algorithms set by a client are used to determine the set of client authentication shared signature algorithms.
Signature algorithms will neither be advertised nor used if the security level prohibits them.
Configuring Signature Algorithm
The field signature_algorithm is introduced in the SSL profile configuration. By default, this field is set to auto.
show sslprofile System-Standard [admin]: > show sslprofile System-Standard +-------------------------------+----------------------------------------------------------------------------------+ | Field | Value | +-------------------------------+----------------------------------------------------------------------------------+ | uuid | sslprofile-9052601e-0203-4702-81fd-221d0f4a3c5a | | name | System-Standard | | accepted_versions[1] | | | type | SSL_VERSION_TLS1 | | accepted_versions[2] | | | type | SSL_VERSION_TLS1_1 | | accepted_versions[3] | | | type | SSL_VERSION_TLS1_2 | | accepted_ciphers | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH | | | E-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:EC | | | DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA | | | -AES256-SHA:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-S | | | HA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA | | --------------------Truncated Output---------------------- | | | | | prefer_client_cipher_ordering | False | | enable_ssl_session_reuse | True | | ssl_session_timeout | 86400 sec | | type | SSL_PROFILE_TYPE_APPLICATION | | ciphersuites | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | | enable_early_data | False | | ec_named_curve | auto | | signature_algorithm | auto | | tenant_ref | admin | +-------------------------------+----------------------------------------------------------------------------------+
By default, Avi Load Balancer supports ECDSA+SHA256:RSA+SHA256 (when signature_algorithm is set to auto ).
Modify the signature algorithm as shown below:
> configure sslprofile System-Standard sslprofile> signature_algorithm ECDSA+SHA256:RSA+SHA256:RSA-PSS+SHA256 Overwriting the previously entered value for signature_algorithm sslprofile> save
