This section describes the steps to configure signature algorithm.

The SSL client uses the signature_algorithms extension to indicate to the server which signature/ hash algorithm pairs must be used in digital signatures.

The extension_data field of this extension contains a supported_signature_algorithms value.

Supported Hash Algorithms:

  • md(5)

  • sha1(2)

  • sha224(3)

  • sha256(4)

  • sha384(5)

  • sha512(6)

Supported Signature Algorithms:

  • rsa

  • dsa

  • ecdsa

In NSX Advanced Load Balancer, the signature algorithms set by a client are used directly in the supported signature algorithm in the client hello message.

The supported signature algorithms set by a server are not sent to the client but are used to determine the set of shared signature algorithms and their order.

The client authentication signature algorithms set by a server are sent in a certificate request message if client authentication is enabled. Otherwise, they are unused. Similarly, client authentication signature algorithms set by a client are used to determine the set of client authentication shared signature algorithms.

Signature algorithms will neither be advertised nor used if the security level prohibits them.

Configuring Signature Algorithm

The field signature_algorithm is introduced in the SSL profile configuration. By default, this field is set to auto.

show sslprofile System-Standard
[admin]: > show sslprofile System-Standard
+-------------------------------+----------------------------------------------------------------------------------+
| Field                         | Value                                                                            |
+-------------------------------+----------------------------------------------------------------------------------+
| uuid                          | sslprofile-9052601e-0203-4702-81fd-221d0f4a3c5a                                  |
| name                          | System-Standard                                                                  |
| accepted_versions[1]          |                                                                                  |
|   type                        | SSL_VERSION_TLS1                                                                 |
| accepted_versions[2]          |                                                                                  |
|   type                        | SSL_VERSION_TLS1_1                                                               |
| accepted_versions[3]          |                                                                                  |
|   type                        | SSL_VERSION_TLS1_2                                                               |
| accepted_ciphers              | ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDH |
|                               | E-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:EC |
|                               | DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA |
|                               | -AES256-SHA:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-S |
|                               | HA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA                           |
|    --------------------Truncated Output----------------------                                                    |
|                               |                                                                                  |
| prefer_client_cipher_ordering | False                                                                            |
| enable_ssl_session_reuse      | True                                                                             |
| ssl_session_timeout           | 86400 sec                                                                        |
| type                          | SSL_PROFILE_TYPE_APPLICATION                                                     |
| ciphersuites                  | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256       |
| enable_early_data             | False                                                                            |
| ec_named_curve                | auto                                                                             |
| signature_algorithm        | auto                                                                         |
| tenant_ref                    | admin                                                                            |
+-------------------------------+----------------------------------------------------------------------------------+

By default, NSX Advanced Load Balancer supports ECDSA+SHA256:RSA+SHA256 (when signature_algorithm is set to auto ).

Modify the signature algorithm as shown below:

> configure sslprofile System-Standard

sslprofile> signature_algorithm ECDSA+SHA256:RSA+SHA256:RSA-PSS+SHA256
Overwriting the previously entered value for signature_algorithm

sslprofile> save