ltm profile client-sslΒΆ

ltm profile client-ssl(1)     BIG-IP TMSH Manual     ltm profile client-ssl(1)



NAME
       client-ssl - Configures a Client SSL profile.

MODULE
       ltm profile

SYNTAX
       Configure the client-ssl component within the ltm.profile module using
       the syntax shown in the following sections.

   CREATE/MODIFY
	create client-ssl [name]
	modify client-ssl [name]
	  options:
	    alert-timeout [indefinite | [integer] ]
	    allow-non-ssl [disabled | enabled]
	    allow-dynamic-record-sizing [disabled | enabled]
	    app-service [[string] | none]
	    authenticate [always | once]
	    authenticate-depth [integer]
	    bypass-on-client-cert-fail [disabled | enabled]
	    bypass-on-handshake-alert [disabled | enabled]
	    ca-file [name]
	    cache-size [integer]
	    cache-timeout [integer]
	    cert [name]
	    cert-extension-includes {
	      none |
	      [ authority-key-identifier basic-constraints
		certificate-policies crl-distribution-points
		extended-key-usage fresh-crl issuer-alternative-name
		key-usage  subject-alternative-name
		subject-directory-attribute subject-key-identifier
	      ]...
	    }
	    cert-key-chain [add | delete | modify | replace-all-with] {
	       [ [name] ] {
		 options:
		   cert [name | none]
		   chain [name | none]
		   key [name]
		   passphrase [none | [string] ]
	       }
	    }
	    cert-lifespan [integer]
	    cert-lookup-by-ipaddr-port [disabled | enabled]
	    chain [name | none]
	    cipher-group [name | none]
	    ciphers [name | none]
	    client-cert-ca [name | none]
	    crl-file [name]
	    allow-expired-crl [enabled | disabled]
	    defaults-from [clientssl | [name] ]
	    description [string]
	    destination-ip-blacklist [name]
	    destination-ip-whitelist [name]
	    forward-proxy-bypass-default-action [intercept | bypass]
	    handshake-timeout [indefinite | [integer] ]
	    hostname-blacklist [name]
	    hostname-whitelist [name]
	    key [ [name] | none]
	    maximum-record-size [integer]
	    mod-ssl-methods [disabled | enabled]
	    mode [disabled | enabled]
	    notify-cert-status-to-virtual-server [disabled | enabled]
	    ocsp-stapling [disabled | enabled]
	    options {
	      none |
	      [ all-bugfixes cipher-server-preference
		dont-insert-empty-fragments ephemeral-rsa
		microsoft-big-sslv3-buffer microsoft-sess-id-bug
		msie-sslv2-rsa-padding netscape-ca-dn-bug
		netscape-challenge-bug netscape-demo-cipher-change-bug
		netscape-reuse-cipher-change-bug no-dtls
		no-session-resumption-on-renegotiation no-ssl no-sslv2 no-sslv3
		no-tls no-tlsv1 no-tlsv1.1 no-tlsv1.2 passive-close
		pkcs1-check-1 pkcs1-check-2 single-dh-use ssleay-080-client-dh-bug
		sslref2-reuse-cert-type-bug tls-block-padding-bug tls-d5-bug
		tls-rollback-bug ]...
	    }
	    passphrase [none | [string] ]
	    peer-cert-mode [auto | ignore | request | require]
	    peer-no-renegotiate-timeout [indefinite | [integer] ]
	    proxy-ssl [disabled | enabled]
	    proxy-ssl-passthrough [disabled | enabled]
	    proxy-ca-cert [name]
	    proxy-ca-key [name]
	    proxy-ca-lifespan [integer]
	    proxy-ca-passphrase [string]
	    renegotiate-max-record-delay [indefinite | [integer] ]
	    renegotiate-period [indefinite | [integer] ]
	    renegotiate-size [indefinite | [integer] ]
	    renegotiation [disabled | enabled]
	    retain-certificate [true | false]
	    secure-renegotiation [request | require | require-strict]
	    max-renegotiations-per-minute [integer]
	    max-aggregate-renegotiation-per-minute [integer]
	    server-name [name]
	    session-mirroring [disabled | enabled]
	    session-ticket [disabled | enabled]
	    session-ticket-timeout [integer]
	    sni-default [true | false]
	    sni-require [true | false]
	    source-ip-blacklist [name]
	    source-ip-whitelist [name]
	    ssl-forward-proxy [disabled | enabled]
	    ssl-forward-proxy-bypass [disabled | enabled]
	    strict-resume [disabled | enabled]
	    unclean-shutdown [disabled | enabled]
	    generic-alert [disabled | enabled]
	    ssl-sign-hash [any | sha1 | sha256 | sha384]
	    max-active-handshakes [integer]

	edit client-ssl [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

	  options:
	mv client-ssl [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
	    to-folder

	reset-stats client-ssl
	reset-stats client-ssl [ [ [name] | [glob] | [regex] ] ... ]

   DISPLAY
	list client-ssl
	list client-ssl [ [ [name] | [glob] | [regex] ] ... ]
	show running-config client-ssl
	show running-config client-ssl [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    inherit-certkeychain
	    non-default-properties
	    one-line
	    partition

	show client-ssl
	show client-ssl [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    (default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
	    field-fmt
	    global

   DELETE
	delete client-ssl [all | [name]]
	  options:
	    recursive

DESCRIPTION
       You can use the client-ssl component to create, modify, or delete a
       custom Client SSL profile, or  display a custom or default Client SSL
       profile.

       Client-side profiles allow the traffic management system to handle
       authentication and encryption tasks for any SSL connection coming into
       a traffic management system from a client system.

EXAMPLES
       create client-ssl my_clientssl_profile

       Creates a clientssl profile named my_clientssl_profile using the system
       defaults.

       create clientssl my_clientssl_profile authenticate-depth number

       Creates a Client SSL profile named my_clientssl_profile using the
       system defaults, except that a user is authenticated with depth number.

       mv client-ssl /Common/my_client-ssl_profile to-folder /Common/my_folder

       Moves a custom client-ssl profile named my_client-ssl_profile to a
       folder named my_folder, where my_folder has already been created and
       exists within /Common.  =head1 OPTIONS

       alert-timeout
	    Specifies the maximum time period in seconds to keep the SSL
	    session active after alert message is sent, or indefinite. The
	    default value is indefinite.

       allow-non-ssl
	    Enables or disables non-SSL connections. Specify enabled when you
	    want non-SSL connections to pass through the traffic management
	    system as clear text. The default value is disabled.

       allow-dynamic-record-sizing
	    Enables or disables dynamic application record sizing. Specify
	    enabled when you want to allow dynamic record sizing. The default
	    value is disabled.

       app-service
	    Specifies the name of the application service to which the profile
	    belongs. The default value is none. Note: If the strict-updates
	    option is enabled on the application service that owns the object,
	    you cannot modify or delete the profile. Only the application
	    service can modify or delete the profile.

       authenticate
	    Specifies how often the system authenticates a user. The default
	    value is once.

       authenticate-depth
	    Specifies the authenticate depth. This is the client certificate
	    chain maximum traversal depth. The default value is 9.

       bypass-on-client-cert-fail
	    Enables or disables SSL forward proxy bypass on failing to get
	    client certificate that server asks for. When enabled and the SSL
	    handshake cannot be completed because of failure to get the client
	    certificate, SSL traffic bypasses the BIG-IP system untouched,
	    without decryption/encryption. The default value is disabled.
	    Conversely, you can specify enabled to use this feature.

       bypass-on-handshake-alert
	    Enables or disables SSL forward proxy bypass on receiving
	    handshake_failure, protocol_version or unsupported_extension alert
	    message during the serverside SSL handshake. When enabled and
	    there is an SSL handshake_failure, protocol_version or
	    unsupported_extension alert during the serverside SSL handshake,
	    SSL traffic bypasses the BIG-IP system untouched, without
	    decryption/encryption. The default value is disabled. Conversely,
	    you can specify enabled to use this feature.

       ca-file
	    Specifies the certificate authority (CA) file name. Configures
	    certificate verification by specifying a list of client or server
	    CAs that the traffic management system trusts. The default value
	    is none.

       cache-size
	    Specifies the SSL session cache size. For client-side profiles
	    only, you can configure timeout and size values for the SSL
	    session cache. Because each profile maintains a separate SSL
	    session cache, you can configure the values on a per-profile
	    basis. The default value is 262144.

       cache-timeout
	    Specifies the SSL session cache timeout value. This specifies the
	    number of usable lifetime seconds of negotiated SSL session IDs.
	    The default value is 3600 seconds. Acceptable values are integers
	    greater than or equal to 0 and less than or equal to 86400.

       cert This option is deprecated and is maintained here for backward
	    compatibility reasons. Please check cert-key-chain option to add
	    certificate, key, passphrase and chain to the profile.

       cert-extension-includes
	    Specifies the extensions of the web server certificates to be
	    included in the generated certificates using SSL Forward Proxy.
	    For example, { basic-constraints }. The default value is none. The
	    extensions are:

	    authority-key-identifier
		 Authority Key Identifier provides a means of identifying the
		 public key corresponding to the private key used to sign a
		 certificate.

	    basic-constraints
		 Basic Constraints are used to indicate whether the
		 certificate belongs to a CA.

	    certificate-policies
		 Certificate Policies contain a sequence of one or more policy
		 information terms.

	    crl-distribution-points
		 CRL Distribution Points identify how CRL information is
		 obtained.

	    destination-ip-blacklist
		 Specifies the data group name of destination ip blacklist
		 when SSL forward proxy bypass feature is enabled.

	    destination-ip-whitelist
		 Specifies the data group name of destination ip whitelist
		 when SSL forward proxy bypass feature is enabled.

	    extended-key-usage
		 Extended Key Usage is used, typically on a leaf certificate,
		 to indicate the purpose of the public key contained in the
		 certificate.

	    forward-proxy-bypass-default-action
		 Specifies the SSL forward proxy bypass default action. The
		 default option is intercept.

	    fresh-crl
		 Fresh CRL (a.k.a Delta CRL Distribution Point) identifies how
		 delta CRL information is obtained.

	    hostname-blacklist
		 Specifies the data group name of hostname blacklist when SSL
		 forward proxy bypass feature is enabled.

	    hostname-whitelist
		 Specifies the data group name of hostname whitelist when SSL
		 forward proxy bypass feature is enabled.

	    inherit-certkeychain
		 This is read only value used internally.

	    issuer-alternative-name
		 As with subject-alternative-name,  Issuer Alternative Name is
		 used to associate Internet style identities with the
		 certificate issuer.

	    key-usage
		 Key Usage provides a bitmap specifying the cryptographic
		 operations which may be performed using the public key
		 contained in the certificate; for example, it could indicate
		 that the key should be used for signature but not for
		 encipherment.

	    subject-alternative-name
		 Subject Alternative Name allows identities to be bound to the
		 subject of the certificate. These identities may be included
		 in addition to or in place of the identity in the subject
		 field of the certificate.

	    subject-directory-attributes
		 Subject Directory Attributes are used to convey
		 identification attributes (for example, nationality) of the
		 subject.

	    subject-key-identifier
		 Subject Key Identifier provides a means of identifying
		 certificates that contains a particular public key.

       cert-key-chain
	    Adds, deletes, or replaces a set of certificate, key, passphrase,
	    chain. client-ssl profile requires at least one cert/key pair to
	    work. Multiple cert/key types can be associated to a client-ssl
	    profile using following options:

	    cert Specifies the name of the certificate installed on the
		 traffic management system for the purpose of terminating or
		 initiating an SSL connection. You can specify the default
		 certificate name, which is default.crt.

	    chain
		 Specifies or builds a certificate chain file that a client
		 can use to authenticate the profile. The default value is
		 none.

	    key  Specifies the name of a key file that you generated and
		 installed on the system. When selecting this option, type a
		 key file name or use the default value default.key.

	    passphrase
		 Specifies the key passphrase, if required. The default value
		 is none.

       cert-lifespan
	    Specifies the lifespan of the certificate generated using the SSL
	    forward proxy feature. The default value is 30.

       cert-lookup-by-ipaddr-port
	    Specifies whether to perform certificate look up by IP address and
	    port number.

       chain
	    This option is deprecated and is maintained here for backward
	    compatibility reasons. Please check cert-key-chain option to add
	    certificate, key, passphrase and chain to the profile.

       cipher-group
	    Specifies a cipher group. If the cipher group is not blank or
	    none, the ciphers string will be used.

       ciphers
	    Specifies a cipher name. The default value is DEFAULT, which uses
	    the default ciphers.

       client-cert-ca
	    Specifies the client cert certificate authority name. The default
	    value is none.

       crl-file
	    Specifies the certificate revocation list file name. The default
	    value is none.

       allow-expired-crl
	    Use the specified CRL file even if it has expired. The default
	    value is disabled.

       defaults-from
	    This setting specifies the profile that you want to use as the
	    parent profile. Your new profile inherits all settings and values
	    from the parent profile specified. The default value is clientssl.

       description
	    User defined description.

       glob Displays the items that match the glob expression. See help glob
	    for a description of glob expression syntax.

       handshake-timeout
	    Specifies the handshake timeout in seconds. The default value is
	    10 seconds.

       key  This option is deprecated and is maintained here for backward
	    compatibility reasons. Please check cert-key-chain option to add
	    certificate, key, passphrase and chain to the profile.

       maximum-record-size
	    Specifies the profile's maximum record size. The range is 128 -
	    16384. The default value is 16384.

       mod-ssl-methods
	    Enables or disables ModSSL method emulation. Enable this option
	    when OpenSSL methods are inadequate, for example, when you want to
	    use SSL compression over TLSv1. The default value is disabled.

       mode Specifies the profile mode, which enables or disables SSL
	    processing. The default value is enabled.

       name Specifies a unique name for the component. This option is required
	    for the commands create, delete, and modify.

       options
	    Enables options, including some industry-related workarounds.
	    Enter options inside braces, for example,
	    {dont-insert-empty-fragments microsoft-sess-id-bug}.

	    The default value is dont-insert-empty-fragments. The options are:

	    all-bugfixes
		 This option enables the following industry-related defect
		 workarounds: microsoft-sess-id-bug, netscape-challenge-bug,
		 netscape-reuse-cipher-change-bug,
		 sslref2-reuse-cert-type-bug, microsoft-big-sslv3-buffer,
		 msie-sslv2-rsa-padding, ssleay-080-client-dh-bug, tls-d5-bug,
		 tls-block-padding-bug, and dont-insert-empty-fragments.

		 It is usually safe to use this option to enable the defect
		 workaround options when compatibility with broken
		 implementations is desired. It is usually safe to use this
		 option to enable the defect workaround options when
		 compatibility with broken implementations is desired. Note
		 that if you edit the configuration in the Web-based
		 configuration utility, the system expands the all-bugfixes
		 syntax into each individual option.

	    cipher-server-preference
		 When choosing a cipher, this option uses the server's
		 preferences instead of the client references. If this option
		 was not set, the SSL server would follow the client's
		 references. When this option is set, the SSLv3/TLSv1 server
		 chooses by using its own references.

		 Note:	This option has no effect. The BIG-IP system always
		 behaves as if the option is active, even when you disable it.

	    dont-insert-empty-fragments
		 Disables a countermeasure against an SSL 3.0/TLS 1.0 protocol
		 vulnerability affecting CBC ciphers. These ciphers cannot be
		 handled by certain broken SSL implementations. This option
		 has no effect for connections using other ciphers.

	    ephemeral-rsa
		 Uses ephemeral (temporary) RSA keys when doing RSA
		 operations. According to the specifications, this is done
		 only when an RSA key can be used for signature operations
		 only (namely under export ciphers with restricted RSA key
		 length). By setting this option, you specify that you want to
		 use ephemeral RSA keys always. This option breaks
		 compatibility with the SSL/TLS specifications and may lead to
		 interoperability problems with clients. Therefore, F5
		 Networks does not recommend this option. Use ciphers with
		 ephemeral Diffie-Hellman (EDH) key exchange instead. This
		 option is ignored for server-side SSL.

	    microsoft-big-sslv3-buffer
		 Enables a workaround for communicating with older
		 Microsoft(r) applications that use non-standard SSL record
		 sizes.

	    microsoft-sess-id-bug
		 Handles a Microsoft session ID problem.

	    msie-sslv2-rsa-padding
		 Enables a workaround for communicating with older Microsoft
		 applications that use non-standard RSA key padding. This
		 option is ignored for server-side SSL.

	    netscape-ca-dn-bug
		 Handles a defect regarding the system crashing or hanging. If
		 the system accepts a Netscape Navigator(r) browser
		 connection, demands a client cert, has a non-self-signed CA
		 that does not have its CA in Netscape, and the browser has a
		 certificate, the system crashes or hangs.

	    netscape-challenge-bug
		 Handles the Netscape challenge problem.

	    netscape-demo-cipher-change-bug
		 Manipulates the SSL server session resumption behavior to
		 mimic that of certain Netscape servers (see the Netscape
		 reuse cipher change bug workaround description). Note that F5
		 Networks does not recommend this option for normal use. It is
		 ignored for server-side SSL.

	    netscape-reuse-cipher-change-bug
		 Handles a defect within Netscape-Enterprise/2.01
		 (https://merchant.neape.com), only appearing when connecting
		 through SSLv2/v3 then reconnecting through SSLv3. In this
		 case, the cipher list changes.

		 First, a connection is established with the RC4-MD5 cipher
		 list. If it is then resumed, the connection switches to using
		 the DES-CBC3-SHA cipher list. However, according to RFC 2246,
		 (section 7.4.1.3, cipher suite) the cipher list should remain
		 RC4-MD5.

		 As a workaround, you can attempt to connect with a cipher
		 list of DES-CBC-SHA:RC4-MD5 and so on. For some reason, each
		 new connection uses the RC4-MD5 cipher list, but any re-
		 connection attempts to use the DES-CBC-SHA cipher list. Thus
		 Netscape, when reconnecting, always uses the first cipher in
		 the cipher list.

	    no-session-resumption-on-renegotiation
		 When performing renegotiation as an SSL server, this option
		 always starts a new session (that is, session resumption
		 requests are only accepted in the initial handshake). The
		 system ignores this option for server-side SSL.

	    no-ssl
		 Do not use any version of the SSL protocol.

	    no-sslv2
		 Do not use the SSLv2 protocol.

	    no-sslv3
		 Do not use the SSLv3 protocol.

	    no-tls
		 Do not use any version of the TLS protocol.

	    no-tlsv1
		 Do not use the TLSv1.0 protocol.

	    no-tlsv1.1
		 Do not use the TLSv1.1 protocol.

	    no-tlsv1.2
		 Do not use the TLSv1.2 protocol.

	    no-dtls
		 Do not use any version of the DTLS protocol.

	    passive-close
		 Specifies how to handle passive closes.

	    none Disables all workarounds. Note that F5 Networks does not
		 recommend this option.

	    notify-cert-status-to-virtual-server
		 Specifies whether to propagate the status of the certificates
		 of this clientssl profile to the virtual servers that are
		 using this clientssl profile.

	    ocsp-stapling
		 Specifies whether to enable OCSP stapling.

	    pkcs1-check-1
		 This debugging option deliberately manipulates the PKCS1
		 padding used by SSL clients in an attempt to detect
		 vulnerability to particular SSL server vulnerabilities. Note
		 that F5 Networks does not recommend this option for normal
		 use. The system ignores this option for client-side SSL.

	    pkcs1-check-2
		 This debugging option deliberately manipulates the PKCS1
		 padding used by SSL clients in an attempt to detect
		 vulnerability to particular SSL server vulnerabilities. Note
		 that F5 Networks does not recommend this option for normal
		 use. The system ignores this option for client-side SSL.

	    single-dh-use
		 Creates a new key when using temporary/ephemeral DH
		 parameters. This option must be used to prevent small
		 subgroup attacks, when the DH parameters were not generated
		 using strong primes (for example. when using DSA-parameters).
		 If strong primes were used, it is not strictly necessary to
		 generate a new DH key during each handshake, but F5 Networks
		 recommends it. Enable the Single DH Use option whenever
		 temporary or ephemeral DH parameters are used.

	    ssleay-080-client-dh-bug
		 Enables a workaround for communicating with older SSLeay-
		 based applications that specify an incorrect Diffie-Hellman
		 public value length. This option is ignored for server-side
		 SSL.

	    sslref2-reuse-cert-type-bug
		 Handles the SSL reuse certificate type problem.

	    tls-block-padding-bug
		 Enables a workaround for communicating with older
		 TLSv1-enabled applications that use incorrect block padding.

	    tls-d5-bug
		 This option is a workaround for communicating with older
		 TLSv1-enabled applications that specify an incorrect
		 encrypted RSA key length. This option is ignored for server-
		 side SSL.

	    tls-rollback-bug
		 Disables version rollback attack detection. During the client
		 key exchange, the client must send the same information about
		 acceptable SSL/TLS protocol levels as it sends during the
		 first hello. Some clients violate this rule by adapting to
		 the server's answer. For example, the client sends an SSLv2
		 hello and accepts up to SSLv3.1 (TLSv1), but the server only
		 processes up to SSLv3. In this case, the client must still
		 use the same SSLv3.1 (TLSv1) announcement. Some clients step
		 down to SSLv3 with respect to the server's answer and violate
		 the version rollback protection. The system ignores this
		 option for server-side SSL.

       partition
	    Displays the administrative partition within which the profile
	    resides.

       passphrase
	    This option is deprecated and is maintained here for backward
	    compatibility reasons. Please check cert-key-chain option to add
	    certificate, key, passphrase and chain to the profile.

       peer-cert-mode
	    Specifies the peer certificate mode. The default value is ignore.

       peer-no-renegotiate-timeout Specifies the timeout in seconds when the
       server sends Hello Request and waits for ClientHello before it sends
       Alert with fatal alert. You can also specify indefinite. The default is
       10 seconds.
       proxy-ca-cert
	    Specifies the name of the certificate file that is used as the
	    certification authority certificate when SSL forward proxy feature
	    is enabled. The certificate should be generated and installed by
	    you on the system. When selecting this option, type a certificate
	    file name.

       proxy-ca-key
	    Specifies the name of the key file that is used as the
	    certification authority key when SSL forward proxy feature is
	    enabled. The key should be generated and installed by you on the
	    system. When selecting this option, type a key file name.

       proxy-ca-passphrase
	    Specifies the passphrase of the key file that is used as the
	    certification authority key when SSL forward proxy feature is
	    enabled. When selecting this option, type the passphrase
	    corresponding to the selected proxy-ca-key.

       proxy-ssl
	    Enabling this option requires a corresponding server ssl profile
	    with proxy-ssl enabled to perform transparent SSL decryption. This
	    allows further modification of application traffic within an SSL
	    tunnel while still allowing the server to perform necessary
	    authorization, authentication, auditing steps.

       proxy-ssl-passthrough
	    Enabling this option requires a corresponding server ssl profile
	    with proxy-ssl-passthrough enabled. This allows Proxy SSL to
	    passthrough the traffic when ciphersuite negotiated between the
	    client and server is not supported. The default option is
	    disabled.

       regex
	    Displays the items that match the regular expression. The regular
	    expression must be preceded by an at sign (@[regular expression])
	    to indicate that the identifier is a regular expression. See help
	    regex for a description of regular expression syntax.

       renegotiate-max-record-delay
	    Specifies the maximum number of SSL records that the traffic
	    management system can receive before it renegotiates an SSL
	    session. After the system receives this number of SSL records, it
	    closes the connection. This setting applies to client profiles
	    only. The default value is indefinite.

       renegotiate-period
	    Specifies the number of seconds required to renegotiate an SSL
	    session. The default value is indefinite.

       renegotiate-size
	    Specifies the size of the application data, in megabytes, that is
	    transmitted over the secure channel. If the size of the data is
	    higher than this value, the traffic management system must
	    renegotiate the SSL session. The default value is indefinite.

       renegotiation
	    Specifies whether renegotiations are enabled. The default value is
	    enabled.  When renegotiations are disabled, and the system is
	    acting as an SSL server, and a COMPAT or NATIVE cipher is
	    negotiated, the system will abort the connection.  Additionally,
	    when renegotiations are disabled, and the system is acting as an
	    SSL client, the system will ignore the server's HelloRequest
	    messages.

       retain-certificate
	    APM module requires storing certificate in SSL session. When set
	    to false, certificate will not be stored in SSL session. The
	    default value is true.

       generic-alert
	    Enables or disables generic-alert. The default option is enabled,
	    which causes the SSL profile to use generic alert number.
	    Conversely, you can specify disabled to cause SSL profile to use
	    alert number defined in RFC5246/RFC6066 strictly.

       secure-renegotiation
	    Specifies the secure renegotiation mode. The default value is
	    require. When secure renegotiation is required, any client
	    attempting to renegotiate that does not support secure
	    renegotiation will have its connection aborted. When secure
	    renegotiation is set to require-strict, any client attempting to
	    connect that does not support secure renegotiation will have its
	    initial handshake denied. When secure renegotiation is set to
	    request, unpatched clients will be permitted to renegotiate. This
	    setting is NOT recommended however, as it is subject to active
	    man-in-the-middle attacks.

       max-renegotiations-per-minute
	    Specifies the maximum number of renegotiation attempts allowed in
	    a minute. The default value is 5.

       max-active-handshakes
	    Specifies the maximum number allowed SSL active handshakes. The
	    default value is 0.

       max-aggregate-renegotiation-per-minute
	    Specifies the maximum number of aggregate renegotiation attempts
	    allowed in a minute. The default value is indefinite.

       server-name
	    Specifies the server names to be matched with SNI (server name
	    indication) extension information in ClientHello from a client
	    connection. Wildcard is supported by using wildcard character "*"
	    to match multiple names.

       sni-default
	    When true, this profile is the default SSL profile when the server
	    name in a client connection does not match any configured server
	    names, or a client connection does not specify any server name at
	    all.

       sni-require
	    When this option is enabled, a client connection that does not
	    specify a known server name or does not support SNI extension will
	    be rejected.

       ssl-sign-hash
	    Specifies SSL sign hash algorithm which is used to sign and verify
	    SSL Server Key Exchange and Certificate Verify messages for the
	    specified SSL profiles. The default value is sha1.

       strict-resume
	    Enables or disables strict-resume. The default option is disabled,
	    which causes the SSL profile to resume an uncleanly shut down SSL
	    session. Conversely, you can specify enabled to prevent an SSL
	    session from being resumed after an unclean shutdown.

       unclean-shutdown
	    By default, the SSL profile performs unclean shutdowns of all SSL
	    connections, which means that underlying TCP connections are
	    closed without exchanging the required SSL shutdown alerts. If you
	    want to force the SSL profile to perform a clean shutdown of all
	    SSL connections, set this option to disabled.

       session-mirroring
	    Enables or disables the mirroring of sessions to high availability
	    peer. By default, this setting is disabled, which causes the
	    system to not mirror ssl sessions.

       session-ticket
	    Enables or disables session-ticket. The default option is
	    disabled, which causes the SSL profile not to use session ticket
	    per RFC 5077. Conversely, you can specify enabled to cause SSL
	    profile to use session ticket per RFC 5077.

       session-ticket-timeout
	    Specifies the session ticket timeout. The default value is 0 which
	    means cache timeout is used.

       source-ip-blacklist
	    Specifies the data group name of source ip blacklist when SSL
	    forward proxy bypass feature is enabled.

       source-ip-whitelist
	    Specifies the data group name of source ip whitelist when SSL
	    forward proxy bypass feature is enabled.

       ssl-forward-proxy
	    Enables or disables SSL forward proxy feature. The default option
	    is disabled. Conversely, you can specify enabled to use the SSL
	    Forward Proxy Feature.

       ssl-forward-proxy-bypass
	    Enables or disables SSL forward proxy bypass feature. The default
	    option is disabled. Conversely, you can specify enabled to use the
	    SSL Forward Proxy Bypass Feature.

       to-folder
	    client-ssl profiles can be moved to any folder under /Common, but
	    configuration dependencies may restrict moving the profile out of
	    /Common.

SEE ALSO
       create, delete, edit, glob, list, ltm virtual, modify, mv, regex,
       reset-stats, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012-2013, 2015-2016.
       All rights reserved.



BIG-IP				  2016-11-10	     ltm profile client-ssl(1)