APIRef_tm_ltm_profile_server-sslΒΆ
mgmt/tm/ltm/profile/server-ssl
Virtual server server-side proxy SSL profile configuration
REST Endpoints
- Collection URI
/mgmt/tm/ltm/profile/server-ssl- Collection Methods
OPTIONS, GET- Resource URI
/mgmt/tm/ltm/profile/server-ssl/~resource id- Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST- Resource Natural Key
name, partition, subPath
Properties
| Name | Type | Default Value | Required | Access | Description |
|---|---|---|---|---|---|
alertTimeout |
string | optional | read/write | Specifies the alert timeout in seconds. You can also specify indefinite. | |
allowExpiredCrl |
string | optional | read/write | Use the specified CRL file even if it has expired. | |
appService |
string | optional | read/write | The application service to which the object belongs. | |
authenticate |
string | optional | read/write | Specifies frequency of authentication. | |
authenticateDepth |
integer | optional | read/write | Specifies the client certificate chain maximum traversal depth. | |
authenticateName |
string | optional | read/write | Specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server based on the specified CN. | |
bypassOnClientCertFail |
string | disabled | optional | read/write | Specifies whether bypass SSL forward proxy traffic when fails to retrieve the Client Certificate from the BIGIP that Server ask for. The default value is disabled. |
bypassOnHandshakeAlert |
string | disabled | optional | read/write | Specifies whether bypass SSL forward proxy traffic when receiving handshake_failure(40) Alert. The default value is disabled. |
caFile |
string | optional | read/write | Specifies the certificate authority (CA) file name. Configures certificate verification by specifying a list of client or server CAs that the traffic management system trusts. | |
cacheSize |
integer | optional | read/write | Specifies the SSL session cache size. For client-side profiles only, you can configure timeout and size values for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-profile basis. | |
cacheTimeout |
integer | optional | read/write | Specifies the SSL session cache timeout value, which is the usable lifetime seconds of negotiated SSL session IDs. The default value is 3600 seconds. Acceptable values are integers greater than or equal to 0 and less than or equal to 86400. | |
cert |
string | optional | read/write | Specifies the name of the certificate installed on the traffic management system for the purpose of terminating or initiating an SSL connection. The default value is none. | |
chain |
string | optional | read/write | Specifies or builds a certificate chain file that a client can use to authenticate the profile. | |
cipherGroup |
string | optional | read/write | Specifies an associated cipher group. | |
ciphers |
string | optional | read/write | Specifies a cipher name. | |
crlFile |
string | optional | read/write | Specifies the certificate revocation list file name or indicates the system uses the certificate revocation file name from the parent profile. | |
defaultsFrom |
string | optional | read/write | Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. | |
description |
string | optional | read/write | User defined description. | |
expireCertResponseControl |
string | drop | optional | read/write | Specifies the action for the BIG-IP system to take when the server certificate has expired. The default value is drop, which causes the connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore the error and continue. Note that drop works only if the certificate is trusted. |
genericAlert |
string | enabled | optional | read/write | Enables or disables generic-alert which if use generic alert number in Alert message. The default option is enabled. |
handshakeTimeout |
string | optional | read/write | Specifies the handshake timeout in seconds. You can also specify indefinite. | |
key |
string | optional | read/write | Specifies the name of the key installed on the traffic management system for the purpose of terminating or initiating an SSL connection. The default value is none. | |
maxActiveHandshakes |
string | 0 | optional | read/write | Specifies the maximum allowed active handshakes. The default value is 0. |
modSslMethods |
string | optional | read/write | Enables or disables ModSSL method emulation. Use enabled when OpenSSL methods are inadequate. For example, you can enable ModSSL method emulation when you want to use SSL compression over TLSv1. | |
mode |
string | disabled | optional | read/write | Enables or disables SSL processing. The default value is enabled. |
ocsp |
string | optional | read/write | ||
tmOptions |
string | optional | read/write | Enables options, including some industry-related workarounds. Enter options inside braces, for example, { dont-insert-empty-fragments microsoft-sess-id-bug}. The default value is dont-insert-empty-fragments, which disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. | |
tmPartition |
string | Common | optional | read/write | Displays the administrative partition within which this profile resides. |
passphrase |
string | optional | read/write | Specifies the key passphrase, if required. | |
peerCertMode |
string | ignore | optional | read/write | Specifies the peer certificate mode. |
proxySsl |
string | disabled | optional | read/write | Enables proxy SSL mode, which requires a corresponding client SSL profile with proxy-ssl enabled to allow for modification of application data within an SSL tunnel. |
proxySslPassthrough |
string | disabled | optional | read/write | Enables proxy SSL passthrough mode, which requires a corresponding client SSL profile with proxy-ssl-passthrough enabled to allow for modification of application data within an SSL tunnel. |
renegotiatePeriod |
string | optional | read/write | Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The default value is indefinite meaning that you do not want the system to renegotiate SSL sessions. Each time the session renegotiation is successful, a new connection is started. Therefore, the system attempts to renegotiate the session again, in the specified amount of time following the successful session renegotiation. For example, setting the Renegotiate Period to 3600 seconds triggers session renegotiation at least once an hour. | |
renegotiateSize |
string | optional | read/write | Specifies a throughput size, in bytes, of SSL renegotiation. This setting forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. The default value is indefinite specifying that you do not want a throughput size. | |
renegotiation |
string | optional | read/write | Controls mid-stream renegotiation. The default value is enabled. | |
retainCertificate |
string | true | optional | read/write | When true, server certificate is retained in SSL session. |
secureRenegotiation |
string | request | optional | read/write | Controls secure renegotiation. The default value is require-strict. |
serverName |
string | optional | read/write | Name matched to TLS/1.1 and above client SSL requests that support the Server Name Indication extension. The default value is empty, which disables support for this extension. | |
sessionMirroring |
string | disabled | optional | read/write | Enables or disables session mirroring to the high-availability peer. The default option is disabled. |
sessionTicket |
string | optional | read/write | Enables or disables session-ticket. The default option is disabled, see RFC5077. | |
sniDefault |
string | false | optional | read/write | When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false. |
sniRequire |
string | false | optional | read/write | When true, SNI support is required for the peer. If a client connection does not specify a known server name, or does not specify any server name at all, the connection will be rejected. The default value is false. |
sslForwardProxy |
string | disabled | optional | read/write | Specifies if the SSL Forward Proxy feature is enabled. The default value is disabled. |
sslForwardProxyBypass |
string | disabled | optional | read/write | Specifies if the SSL Forward Proxy Bypass feature is enabled. The default value is disabled. |
sslSignHash |
string | any | optional | read/write | SSL sign hash algorithm to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
strictResume |
string | optional | read/write | You can enable or disable the resumption of SSL sessions after an unclean shutdown. The default value is disabled, which indicates that the SSL profile refuses to resume SSL sessions after an unclean shutdown. | |
uncleanShutdown |
string | optional | read/write | By default, the SSL profile performs unclean shutdowns of all SSL connections, which means that underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If you want to force the SSL profile to perform a clean shutdown of all SSL connections, you can disable this. | |
untrustedCertResponseControl |
string | drop | optional | read/write | Specifies the system action when the server certificate has untrusted CA. The default value is drop, which causes the connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore the error and continue. |
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.