APIRef_tm_ltm_profile_client-ssl¶
mgmt/tm/ltm/profile/client-ssl
Virtual server client-side proxy SSL profile configuration
REST Endpoints
- Collection URI
/mgmt/tm/ltm/profile/client-ssl- Collection Methods
OPTIONS, GET- Resource URI
/mgmt/tm/ltm/profile/client-ssl/~resource id- Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST- Resource Natural Key
name, partition, subPath
Properties
| Name | Type | Default Value | Required | Access | Description |
|---|---|---|---|---|---|
alertTimeout |
string | optional | read/write | Specifies the alert timeout in seconds. You can also specify indefinite. | |
allowDynamicRecordSizing |
string | optional | read/write | Enables or disables dynamic application record sizing. Specify B<enabled> when you want to allow dynamic record sizing. The default value is disabled. | |
allowExpiredCrl |
string | optional | read/write | Use the specified CRL file even if it has expired. | |
allowNonSsl |
string | optional | read/write | Enables or disables non-SSL connections. Specify enabled to allow non-SSL connections to pass through the traffic management system as clear text. | |
appService |
string | optional | read/write | The application service to which the object belongs. | |
authenticate |
string | optional | read/write | Specifies frequency of authentication. The default value is once. | |
authenticateDepth |
integer | optional | read/write | Specifies the authenticate depth. This is the client certificate chain maximum traversal depth. | |
bypassOnClientCertFail |
string | disabled | optional | read/write | Specifies whether bypass SSL forward proxy traffic when fails to retrieve the Client Certificate from the BIGIP that Server ask for. The default value is disabled. |
bypassOnHandshakeAlert |
string | disabled | optional | read/write | Specifies whether bypass SSL forward proxy traffic when receiving handshake_failure(40) Alert. The default value is disabled. |
caFile |
string | optional | read/write | Specifies the certificate authority (CA) file name. Configure certificate verification by specifying a list of client or server CAs that the traffic management system trusts. | |
cacheSize |
integer | optional | read/write | Specifies the SSL session cache size. For client-side profiles only, you can configure timeout and size values for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-profile basis. | |
cacheTimeout |
integer | optional | read/write | Specifies the SSL session cache timeout value. This specifies the number of usable lifetime seconds of negotiated SSL session IDs. The default timeout value for the SSL session cache is 3600 seconds. Acceptable values are integers greater than or equal to 0 and less than or equal to 86400. | |
cert |
string | optional | read/write | DEPRECATED - use certKeyChain option instead. Specifies the name of the certificate installed on the traffic management system for the purpose of terminating or initiating an SSL connection. | |
certExtensionIncludes |
string | optional | read/write | Specifies the extensions of the web server certificates to be included in the generated certificates using SSL Forward Proxy. For example, { basic-constraints }. The default value is none. | |
certLifespan |
integer | 30 | optional | read/write | Specifies the lifespan of the certificate generated using SSL Forward Proxy. The default value is 30 days. |
certLookupByIpaddrPort |
string | disabled | optional | read/write | Specifies whether SSL forward proxy lookup certificate by ipaddr/port feature is enabled or not. The default value is disabled. |
chain |
string | optional | read/write | DEPRECATED - use certKeyChain option instead. Specifies or builds a certificate chain file that a client can use to authenticate the profile. To use the default chain name, specify default. | |
cipherGroup |
string | optional | read/write | Specifies an associated cipher group. | |
ciphers |
string | optional | read/write | Specifies a cipher name. The default value is DEFAULT, which uses the default ciphers. | |
clientCertCa |
string | optional | read/write | Specifies the client cert certificate authority name. | |
crlFile |
string | optional | read/write | Specifies the certificate revocation list file name. | |
defaultsFrom |
string | optional | read/write | Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. | |
description |
string | optional | read/write | User defined description. | |
destinationIpBlacklist |
string | optional | read/write | Specifies the data group list of the destination IP blacklist for SSL Forward Proxy Bypass. | |
destinationIpWhitelist |
string | optional | read/write | Specifies the data group list of the destination IP whitelist for SSL Forward Proxy Bypass. | |
forwardProxyBypassDefaultAction |
string | intercept | optional | read/write | Specifies the SSL forward proxy bypass default action. The default value is intercept. |
genericAlert |
string | enabled | optional | read/write | Enables or disables generic-alert which if use generic alert number in Alert message. The default option is enabled. |
handshakeTimeout |
string | optional | read/write | Specifies the handshake timeout in seconds. You can also specify indefinite. | |
hostnameBlacklist |
string | optional | read/write | Specifies the data group list of the hostname blacklist for SSL Forward Proxy Bypass. | |
hostnameWhitelist |
string | optional | read/write | Specifies the data group list of the hostname whitelist for SSL Forward Proxy Bypass. | |
inheritCertkeychain |
string | false | optional | read/write | This is a read only value used internally. |
key |
string | optional | read/write | DEPRECATED - use certKeyChain option instead. Specifies the name of a key file that you generated and installed on the system. The default key name is default.key. | |
maxActiveHandshakes |
string | 0 | optional | read/write | Specifies the maximum allowed active handshakes. The default value is 0. |
maxAggregateRenegotiationPerMinute |
string | 0 | optional | read/write | Specifies the maximum number of aggregate renegotiation attempts allowed in a minute. The default value is indefinite. |
maxRenegotiationsPerMinute |
integer | 5 | optional | read/write | Specifies the maximum number of renegotiation attempts allowed in a minute. The default value is 5. |
maximumRecordSize |
integer | optional | read/write | Specifies the profile’s maximum record size. The range is 128 - 16384. The default value is 16384. | |
modSslMethods |
string | optional | read/write | Enables or disables ModSSL method emulation. Enable this option when OpenSSL methods are inadequate. For example, you can enable this option when you want to use SSL compression over TLSv1. | |
mode |
string | disabled | optional | read/write | Specifies the profile mode, which enables or disables SSL processing. The default value is enabled. |
notifyCertStatusToVirtualServer |
string | disabled | optional | read/write | Specifies whether to propagate the status of the certificates of this clientssl profile to the virtual servers that are using this clientssl profile. |
ocspStapling |
string | disabled | optional | read/write | Specifies whether to enable OCSP stapling. |
tmOptions |
string | optional | read/write | Enables options, including some industry-related workarounds. Enter options inside braces, for example, { dont-insert-empty-fragments microsoft-sess-id-bug}. The default value is all-bugfixes, which enables a set of industry-related miscellaneous workarounds related to SSL processing. | |
tmPartition |
string | Common | optional | read/write | Displays the administrative partition within which this profile resides. |
passphrase |
string | optional | read/write | DEPRECATED - use certKeyChain option instead. Specifies the key passphrase if required. | |
peerCertMode |
string | ignore | optional | read/write | Specifies the peer certificate mode. |
peerNoRenegotiateTimeout |
string | 10 | optional | read/write | Specifies the number of seconds that the system waits for ClientHello before sending Fatal Alert after sending Hello Request. The default is 10 seconds. You can set it to Indefinite which specifies that the system continue to wait for ClientHello for an unlimited time. |
proxyCaCert |
string | optional | read/write | Specifies the Certification Authority cert for SSL Forward Proxy. | |
proxyCaKey |
string | optional | read/write | Specifies the Certification Authority key for SSL Forward Proxy. | |
proxyCaPassphrase |
string | optional | read/write | Specifies the passphrase of the Certification Authority key for SSL Forward Proxy. | |
proxySsl |
string | disabled | optional | read/write | Enables proxy SSL mode, which requires a corresponding server SSL profile with proxy-ssl enabled to allow for modification of application data within an SSL tunnel. |
proxySslPassthrough |
string | disabled | optional | read/write | Enables proxy SSL passthrough mode, which requires a corresponding server SSL profile with proxy-ssl-passthrough enabled to allow for modification of application data within an SSL tunnel. |
renegotiateMaxRecordDelay |
string | optional | read/write | Specifies the maximum number of SSL records that the traffic management system can receive before it renegotiates an SSL session. After the system receives this number of SSL records, it closes the connection. This setting applies to client-side profiles only. The default value is 10. | |
renegotiatePeriod |
string | optional | read/write | Specifies the number of seconds required to renegotiate an SSL session. The default value is indefinite. | |
renegotiateSize |
string | optional | read/write | Specifies the size of the application data, in megabytes, that is transmitted over the secure channel above which the traffic management system must renegotiate the SSL session. The default value is indefinite. | |
renegotiation |
string | optional | read/write | Controls mid-stream renegotiation. The default value is enabled. | |
retainCertificate |
string | true | optional | read/write | When true, client certificate is retained in SSL session. |
secureRenegotiation |
string | request | optional | read/write | Controls secure renegotiation. The default value is require. |
serverName |
string | optional | read/write | Name matched to TLS/1.1 and above client SSL requests that support the Server Name Indication extension. The default value is empty, which disables support for this extension. | |
sessionMirroring |
string | disabled | optional | read/write | Enables or disables session mirroring to the high-availability peer. The default option is disabled. |
sessionTicket |
string | optional | read/write | Enables or disables session-ticket. The default option is disabled, see RFC5077. | |
sessionTicketTimeout |
integer | 0 | optional | read/write | Specifies the session ticket timeout. The default value is 0. |
sniDefault |
string | false | optional | read/write | When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false. |
sniRequire |
string | false | optional | read/write | When true, SNI support is required for the peer and if a client connection does not specify a known server name, or does not specify any server name at all, the handshake will fail. The default value is false. |
sourceIpBlacklist |
string | optional | read/write | Specifies the data group list of the source IP blacklist for SSL Forward Proxy Bypass. | |
sourceIpWhitelist |
string | optional | read/write | Specifies the data group list of the source IP whitelist for SSL Forward Proxy Bypass. | |
sslForwardProxy |
string | disabled | optional | read/write | Specifies whether SSL forward proxy feature is enabled or not. The default value is disabled. |
sslForwardProxyBypass |
string | disabled | optional | read/write | Specifies whether SSL forward proxy bypass feature is enabled or not. The default value is disabled. |
sslSignHash |
string | any | optional | read/write | SSL sign hash algorithm to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
strictResume |
string | optional | read/write | Enables or disables strict-resume. The default option is disabled, which causes the SSL profile to allow uncleanly shut down SSL sessions to be resumed. Conversely, you can specify enabled to prevent an SSL session from being resumed after an unclean shutdown. | |
uncleanShutdown |
string | optional | read/write | By default, the SSL profile performs unclean shutdowns of all SSL connections, which means that underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If you want to force the SSL profile to perform a clean shutdown of all SSL connections, set this option to disabled. |
Array Structures
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.