ltm profile server-ssl¶

ltm profile server-ssl(1) BIG-IP TMSH Manual ltm profile server-ssl(1)

NAME
server-ssl - Configures a Server SSL profile.

MODULE
ltm profile

SYNTAX
Configure the server-ssl component within the ltm profile module using the syntax shown in the following sections.

CREATE/MODIFY
create server-ssl [name]
modify server-ssl [name]
options:
alert-timeout [indefinite | immediate | [integer] ]
allow-expired-crl [enabled | disabled]
app-service [[string] | none]
authenticate [always | once]
authenticate-depth [integer]
authenticate-name [ [name] | none]
bypass-on-client-cert-fail [disabled | enabled]
bypass-on-handshake-alert [disabled | enabled]
c3d-ca-cert [name]
c3d-ca-key [name]
c3d-ca-passphrase [string]
c3d-cert-extension-custom-oids [none | [string]]
c3d-cert-extension-includes {
none |
[ basic-constraints extended-key-usage
key-usage subject-alternative-name
]...
}
c3d-cert-lifespan [integer]
ca-file [ [file name] | none]
cache-size [integer]
cache-timeout [integer]
cert [ [file name] | none]
chain [ [name] | none]
cipher-group [name | none]
ciphers [ [name] | none]
crl [[name] | none]
crl-file [none]
defaults-from [ [name] | none]
description [string]
expire-cert-response-control [drop | ignore | mask]
handshake-timeout [indefinite | [integer] ]
key [ [file name] | none]
log-publisher [log publisher name | none]
max-active-handshakes [integer]
mod-ssl-methods [disabled | enabled]
mode [disabled | enabled]
ocsp [[ocsp profile name] | none]
options {
none |
[ dont-insert-empty-fragments
no-session-resumption-on-renegotiation
no-ssl no-sslv3 no-tls no-tlsv1 no-tlsv1.1 no-tlsv1.2
no-tlsv1.3 no-dtls no-dtlsv1.0 no-dtlsv1.2 gmsslv1.1 passive-close
single-dh-use tls-rollback-bug ]
}
passphrase [none | [string] ]
peer-cert-mode [ignore | require]
proxy-ssl [disabled | enabled]
proxy-ssl-passthrough [disabled | enabled]
renegotiate-period [indefinite | [integer] ]
renegotiate-size [indefinite | [integer] ]
renegotiation [disabled | enabled]
retain-certificate [true | false]
revoked-cert-status-response-control [drop | ignore | mask]
secure-renegotiation [request | require | require-strict]
server-name [name]
session-mirroring [disabled | enabled]
session-ticket [disabled | enabled]
generic-alert [disabled | enabled]
sni-default [true | false]
sni-require [true | false]
ssl-c3d [disabled | enabled]
ssl-forward-proxy [disabled | enabled]
ssl-forward-proxy-bypass [disabled | enabled]
ssl-forward-proxy-verified-handshake [disabled | enabled]
ssl-sign-hash [any | sha1 | sha256 | sha384]
strict-resume [disabled | enabled]
unclean-shutdown [disabled | enabled]
data-0rtt [disabled | enabled]
unknown-cert-status-response-control [ignore | drop | mask]
untrusted-cert-response-control [drop | ignore | mask]

edit server-ssl [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties

mv server-ssl [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder

reset-stats server-ssl
reset-stats server-ssl [ [ [name] | [glob] | [regex] ] ... ]

DISPLAY
list server-ssl
list server-ssl [ [ [name] | [glob] | [regex] ] ... ]
show running-config server-ssl
show running-config server-ssl
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition

show server-ssl
show server-ssl [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
global

DELETE
delete server-ssl [all | [name]]
options:
recursive

DESCRIPTION
You can use the server-ssl component to manage a server SSL profile.

Server-side profiles enable the traffic management system to handle encryption tasks for any SSL connection being sent from
a local traffic management system to a target server. A server-side SSL profile is acts as a client by presenting
certificate credentials to a server when authentication of the local traffic management system is required. You implement
this type of profile by using the default profile, or by creating a custom profile based on the Server SSL profile template
and modifying its settings.

EXAMPLES
create server-ssl my_serverssl_profile defaults-from serverssl

Creates a custom Server SSL profile named my_serverssl_profile that inherits its settings from the system default profile
serverssl.

list server-ssl all-properties

Displays all properties for all Server SSL profiles.

mv server-ssl /Common/my_serverssl_profile to-folder /Common/my_folder

Moves a custom server-ssl profile named my_serverssl_profile to a folder named my_folder, where my_folder has already been
created and exists within /Common.

OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
profile. Only the application service can modify or delete the profile.

alert-timeout
Specifies the maximum time period in seconds to keep the SSL session active after alert message is sent, or
indefinite. The default value is indefinite.

allow-expired-crl
Use the specified CRL file even if it has expired. The default value is disabled.

authenticate
Specifies the frequency of authentication. The default value is once. Note that if this is set to always session cache
and session ticket will be disabled.

authenticate-depth
Specifies the client certificate chain maximum traversal depth. The default value is 9.

authenticate-name
Specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server based on the
specified CN. The default value is none.

bypass-on-client-cert-fail
Enables or disables SSL forward proxy bypass on failing to get client certificate that server asks for. When enabled
and the SSL handshake cannot be completed because of failure to get the client certificate, SSL traffic bypasses the
BIG-IP system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify
enabled to use this feature.

bypass-on-handshake-alert
Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or unsupported_extension
alert message during the serverside SSL handshake. When enabled and there is an SSL handshake_failure,
protocol_version or unsupported_extension alert during the serverside SSL handshake, SSL traffic bypasses the BIG-IP
system untouched, without decryption/encryption. The default value is disabled. Conversely, you can specify enabled to
use this feature.

c3d-ca-cert
Specifies the name of the certificate file that is used as the certification authority certificate when SSL client
certificate constrained delegation is enabled. The certificate should be generated and installed by you on the system.
When selecting this option, type a certificate file name.

c3d-ca-key
Specifies the name of the key file that is used as the certification authority key when SSL client certificate
constrained delegation is enabled. The key should be generated and installed by you on the system. When selecting this
option, type a key file name.

c3d-ca-passphrase
Specifies the passphrase of the key file that is used as the certification authority key when SSL client certificate
constrained delegation is enabled. When selecting this option, type the passphrase corresponding to the selected
c3d-ca-key.

c3d-cert-extension-custom-oids
Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL
client certificate constrained delegation.

c3d-cert-extension-includes
Specifies the extensions of the client certificates to be included in the generated certificates using SSL client
certificate constrained delegation. For example, { basic-constraints }. The default value is { basic-constraints
extended-key-usage key-usage subject-alternative-name }. The extensions are:

basic-constraints
Basic constraints are used to indicate whether the certificate belongs to a CA.

extended-key-usage
Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public key contained
in the certificate.

key-usage
Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the public key
contained in the certificate; for example, it could indicate that the key should be used for signature but not
for encipherment.

subject-alternative-name
Subject Alternative Name allows identities to be bound to the subject of the certificate. These identities may be
included in addition to or in place of the identity in the subject field of the certificate.

c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation. The
default value is 24.

ca-file
Specifies the certificate authority file name. Configures certificate verification by specifying a list of client or
server CAs that the traffic management system trusts. The default value is none.

cache-size
Specifies the SSL session cache size. For client profiles only, you can configure timeout and size values for the SSL
session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-
profile basis. The default value is 262144.

cache-timeout
Specifies the SSL session cache timeout value, which is the usable lifetime seconds of negotiated SSL session IDs. The
default value is 3600 seconds. Acceptable values are integers greater than or equal to 0 and less than or equal to
86400.

cert Specifies the name of the certificate installed on the traffic management system for the purpose of terminating or
initiating an SSL connection. The default value is none.

chain
Specifies or builds a certificate chain file that a client can use to authenticate the profile. The default value is
none.

cipher-group
Specifies a cipher group. If the cipher group is not blank or none, the ciphers string will be used.

ciphers
Specifies a cipher name. The default value is DEFAULT.

crl Specifies the name of crl validator for validating status of server certificate. Specifying none disables crl
validation of server certificate. The default value is none.

crl-file
Specifies the certificate revocation list file name. The default value is none.

defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values
from the parent profile specified. The default value is serverssl.

description
User defined description.

expire-cert-response-control
Specifies the BIGIP action when the server certificate has expired. The default value is drop, which causes the
connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore the error and continue
or you can specify mask in case of SSL forward proxy to mask server certificate errors and continue with handshake and
forge a good certificate on client-side.

glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.

handshake-timeout
Specifies the handshake timeout in seconds. The default value is 10.

key Specifies the key file name. Specifies the name of the key installed on the traffic management system for the purpose
of terminating or initiating an SSL connection. The default value is none.

log-publisher
Specify the name of the log publisher which logs translation events. See help sys log-config for more details on the
logging sub-system. Use the "sys log-config publisher" component to set up a log publisher.

mod-ssl-methods
Enables or disables ModSSL methods. The default value is disabled.

Enable this option when OpenSSL methods are inadequate. For example, you can enable ModSSL method emulation when you
want to use SSL compression over TLSv1.

mode Enables or disables SSL processing. The default value is enabled.

name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.

ocsp Specifies the name of ocsp profile for purpose of validating status of server certificate. Specifying none disables
ocsp validation of server certificate. The default value is none.

options
Enables options, including some industry-related workarounds. Enter options inside braces, for example, {
dont-insert-empty-fragments}. The default value is dont-insert-empty-fragments no-tlsv1.3.

dont-insert-empty-fragments
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers
cannot be handled by certain broken SSL implementations. This option has no effect for connections using other
ciphers.

max-active-handshakes
Specifies the maximum number allowed SSL active handshakes. The default value is 0.

no-session-resumption-on-renegotiation
When performing renegotiation as an SSL server, this option always starts a new session (that is, session
resumption requests are accepted only in the initial handshake). The system ignores this option for server-side
SSL.

gmsslv1.1
Enable GMSSLv1.1 protocol.

no-ssl
Do not use any version of the SSL protocol.

no-sslv3
Do not use the SSLv3 protocol.

no-tls
Do not use any version of the TLS protocol.

no-tlsv1
Do not use the TLSv1.0 protocol.

no-tlsv1.1
Do not use the TLSv1.1 protocol.

no-tlsv1.2
Do not use the TLSv1.2 protocol.

no-tlsv1.3
Do not use the TLSv1.3 protocol. Note that this is for future expansion. Currently TLSv1.3 has not been
implemented for server side SSL, so removing this will have no effect and log a warning message.

no-dtls
Do not use any version of the DTLS protocol.

no-dtlsv1.0
Do not use the DTLSv1.0 protocol.

no-dtlsv1.2
Do not use the DTLSv1.2 protocol.

passive-close
Specifies how to handle passive closes.

none Disables all workarounds. Note that F5 Networks does not recommend this option.

single-dh-use
Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small
subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-
parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each
handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH
parameters are used.

tls-rollback-bug
Disables version rollback attack detection. During the client key exchange, the client must send the same
information about acceptable SSL/TLS protocol levels as it sends during the first hello. Some clients violate
this rule by adapting to the server's answer. For example, the client sends an SSLv2 hello and accepts up to
SSLv3.1 (TLSv1), but the server only processes up to SSLv3. In this case, the client must still use the same
SSLv3.1 (TLSv1) announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the
version rollback protection. The system ignores this option for server-side SSL.

partition
Displays the administrative partition within which the component resides.

passphrase
Specifies the key passphrase, if required. The default value is none.

peer-cert-mode
Specifies the peer certificate mode. The default value is ignore.

proxy-ssl
Enabling this option requires a corresponding client ssl profile with proxy-ssl enabled to perform transparent SSL
decryption. This feature allows further modification of application traffic within an SSL tunnel while still allowing
the server to perform necessary authorization, authentication, auditing steps.

proxy-ssl-passthrough
Enabling this option requires a corresponding client ssl profile with proxy-ssl-passthrough enabled. This allows Proxy
SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. The default
option is disabled.

regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.

renegotiate-period
Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The
default value is indefinite, which means that you do not want the system to renegotiate SSL sessions.

Each time the session renegotiation is successful, a new connection is started. Therefore, the system attempts to
renegotiate the session again, in the specified amount of time following a successful session renegotiation. For
example, setting the renegotiate-period option to 3600 seconds triggers session renegotiation at least once an hour.

renegotiate-size
Specifies a throughput size, in megabytes, of SSL renegotiation. This option forces the traffic management system to
renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure
channel. The default value is indefinite, which specifies that you do not want a throughput size.

renegotiation
Specifies whether renegotiations are enabled. The default value is enabled. When renegotiations are disabled, the
system is acting as an SSL server, and a COMPAT or NATIVE cipher is negotiated, the system will abort the connection.
Additionally, when renegotiations are disabled and the system is acting as an SSL client, the system will ignore the
server's HelloRequest messages.

retain-certificate
APM module requires storing certificate in SSL session. When set to false, certificate will not be stored in SSL
session. The default value is true.

revoked-cert-status-response-control
Specifies the BIGIP action when the server certificate status is revoked. The default value is drop, which causes the
connection to be dropped. You can specify ignore to cause the connection to ignore the error and continue handshake.
You can specify mask in case of SSL forward proxy to mask server certificate status error and continue handshake.

generic-alert
Enables or disables generic-alert. The default option is enabled, which causes the SSL profile to use generic alert
number. Conversely, you can specify disabled to cause SSL profile to use alert number defined in RFC5246/RFC6066
strictly.

secure-renegotiation
Specifies the secure renegotiation mode. The default value is require-strict. When secure renegotiation is set to
require, any connection to an unpatched server will be aborted. For server-ssl, there is no difference between require
and require-strict secure renegotiation. When secure renegotiation is set to request, connections to unpatched servers
will be permitted. This setting is NOT recommended however, as it is subject to active man-in-the-middle attacks.

server-name
Specifies the server name to be included in SNI (server name indication) extension during SSL handshake in
ClientHello.

session-mirroring
Enables or disables the mirroring of sessions to high availability peer. By default, this setting is disabled, which
causes the system to not mirror ssl sessions.

session-ticket
Enables or disables session-ticket. The default option is disabled, which causes the SSL profile not to use session
ticket per RFC 5077. Conversely, you can specify enabled to cause SSL profile to use session ticket per RFC 5077.

sni-default
When true, this profile is the default SSL profile when the server name in a client connection does not match any
configured server names, or a client connection does not specify any server name at all.

sni-require
When this option is enabled, connections to a server that does not support SNI extension will be rejected.

ssl-c3d
Enables or disables SSL Client certificate constrained delegation. The default option is disabled. Conversely, you can
specify enabled to use the SSL client certificate constrained delegation.

ssl-forward-proxy
Enables or disables ssl-forward-proxy feature. The default option is disabled. Conversely, you can specify enabled to
use the SSL Forward Proxy Feature.

ssl-sign-hash
Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify
messages for the specified SSL profiles. The default value is sha1.

ssl-forward-proxy-bypass
Enables or disables ssl-forward-proxy-bypass feature. The default option is disabled. Conversely, you can specify
enabled to use the SSL Forward Proxy Bypass Feature.

ssl-forward-proxy-verified-handshake
Specifies, when enabled, that in SSL forward proxy mode, the system should always do a TLS handshake with the server
first before doing the client handshake. When disabled, the system will do the server handshake first only if it has
not previously forged and cached the server certificate; once the server certificate is ready, the system will always
handshake first with the client. The default value is disabled.

strict-resume
Enables or disables the resumption of SSL sessions after an unclean shutdown. The default value is disabled, which
indicates that the SSL profile refuses to resume SSL sessions after an unclean shutdown.

to-folder
server-ssl profiles can be moved to any folder under /Common, but configuration dependencies may restrict moving the
profile out of /Common.

unclean-shutdown
Specifies, when enabled, that the SSL profile performs unclean shutdowns of all SSL connections, which means that
underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If you want to force the
SSL profile to perform a clean shutdown of all SSL connections, you can disable this option.

unknown-cert-status-response-control
Specifies the BIGIP action when the server certificate status is unknown. The default value is ignore, which causes
the connection to ignore the error and continue handshake. You can specify drop which causes the connection to be
dropped. You can specify mask in case of SSL forward proxy to mask server certificate status error and continue
handshake.

untrusted-cert-response-control
Specifies the BIGIP action when the server certificate has untrusted CA. The default value is drop, which causes the
connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore the error and continue
or you can specify mask in case of SSL forward proxy to mask server certificate errors and continue with handshake and
forge a good certificate on client-side.

data-0rtt
Specifies if TLSv1.3 should send 0-RTT early data when available. The default value is disabled.

SEE ALSO
create, delete, edit, glob, list, ltm profile client-ssl, ltm virtual, modify, mv, regex, show, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.

BIG-IP 2020-06-25 ltm profile server-ssl(1)