ltm profile server-ssl¶

ltm profile server-ssl(1) BIG-IP TMSH Manual ltm profile server-ssl(1)

NAME
server-ssl - Configures a Server SSL profile.

MODULE
ltm profile

SYNTAX
Configure the server-ssl component within the ltm profile module using the syntax shown in the following
sections.

CREATE/MODIFY
create server-ssl [name]
modify server-ssl [name]
options:
alert-timeout [indefinite | immediate | [integer] ]
allow-expired-crl [enabled | disabled]
app-service [[string] | none]
authenticate [always | once]
authenticate-depth [integer]
authenticate-name [ [name] | none]
bypass-on-client-cert-fail [disabled | enabled]
bypass-on-handshake-alert [disabled | enabled]
c3d-ca-cert [name]
c3d-ca-key [name]
c3d-ca-passphrase [string]
c3d-cert-extension-custom-oids [none | [string]]
c3d-cert-extension-includes {
none |
[ basic-constraints extended-key-usage
key-usage subject-alternative-name
]...
}
c3d-cert-lifespan [integer]
ca-file [ [file name] | none]
cache-size [integer]
cache-timeout [integer]
cert [ [file name] | none]
chain [ [name] | none]
cipher-group [name | none]
ciphers [ [name] | none]
crl [[name] | none]
crl-file [none]
defaults-from [ [name] | none]
description [string]
expire-cert-response-control [drop | ignore | mask]
handshake-timeout [indefinite | [integer] ]
key [ [file name] | none]
max-active-handshakes [integer]
mod-ssl-methods [disabled | enabled]
mode [disabled | enabled]
ocsp [[ocsp profile name] | none]
options {
none |
[ dont-insert-empty-fragments
no-session-resumption-on-renegotiation
no-ssl no-sslv3 no-tls no-tlsv1 no-tlsv1.1 no-tlsv1.2
no-tlsv1.3 no-dtls no-dtlsv1.0 no-dtlsv1.2 gmsslv1.1 passive-close
single-dh-use tls-rollback-bug ]
}
passphrase [none | [string] ]
peer-cert-mode [ignore | require]
proxy-ssl [disabled | enabled]
proxy-ssl-passthrough [disabled | enabled]
renegotiate-period [indefinite | [integer] ]
renegotiate-size [indefinite | [integer] ]
renegotiation [disabled | enabled]
retain-certificate [true | false]
revoked-cert-status-response-control [drop | ignore | mask]
secure-renegotiation [request | require | require-strict]
server-name [name]
session-mirroring [disabled | enabled]
session-ticket [disabled | enabled]
generic-alert [disabled | enabled]
sni-default [true | false]
sni-require [true | false]
ssl-c3d [disabled | enabled]
ssl-forward-proxy [disabled | enabled]
ssl-forward-proxy-bypass [disabled | enabled]
ssl-forward-proxy-verified-handshake [disabled | enabled]
ssl-sign-hash [any | sha1 | sha256 | sha384]
strict-resume [disabled | enabled]
unclean-shutdown [disabled | enabled]
data-0rtt [disabled | enabled]
unknown-cert-status-response-control [ignore | drop | mask]
untrusted-cert-response-control [drop | ignore | mask]

edit server-ssl [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties

mv server-ssl [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder

reset-stats server-ssl
reset-stats server-ssl [ [ [name] | [glob] | [regex] ] ... ]

DISPLAY
list server-ssl
list server-ssl [ [ [name] | [glob] | [regex] ] ... ]
show running-config server-ssl
show running-config server-ssl
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition

show server-ssl
show server-ssl [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
global

DELETE
delete server-ssl [all | [name]]
options:
recursive

DESCRIPTION
You can use the server-ssl component to manage a server SSL profile.

Server-side profiles enable the traffic management system to handle encryption tasks for any SSL connection
being sent from a local traffic management system to a target server. A server-side SSL profile is acts as a
client by presenting certificate credentials to a server when authentication of the local traffic management
system is required. You implement this type of profile by using the default profile, or by creating a custom
profile based on the Server SSL profile template and modifying its settings.

EXAMPLES
create server-ssl my_serverssl_profile defaults-from serverssl

Creates a custom Server SSL profile named my_serverssl_profile that inherits its settings from the system
default profile serverssl.

list server-ssl all-properties

Displays all properties for all Server SSL profiles.

mv server-ssl /Common/my_serverssl_profile to-folder /Common/my_folder

Moves a custom server-ssl profile named my_serverssl_profile to a folder named my_folder, where my_folder has
already been created and exists within /Common.

OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.

alert-timeout
Specifies the maximum time period in seconds to keep the SSL session active after alert message is sent,
or indefinite. The default value is indefinite.

allow-expired-crl
Use the specified CRL file even if it has expired. The default value is disabled.

authenticate
Specifies the frequency of authentication. The default value is once. Note that if this is set to always
session cache and session ticket will be disabled.

authenticate-depth
Specifies the client certificate chain maximum traversal depth. The default value is 9.

authenticate-name
Specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server
based on the specified CN. The default value is none.

bypass-on-client-cert-fail
Enables or disables SSL forward proxy bypass on failing to get client certificate that server asks for.
When enabled and the SSL handshake cannot be completed because of failure to get the client certificate,
SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is
disabled. Conversely, you can specify enabled to use this feature.

bypass-on-handshake-alert
Enables or disables SSL forward proxy bypass on receiving handshake_failure, protocol_version or
unsupported_extension alert message during the serverside SSL handshake. When enabled and there is an SSL
handshake_failure, protocol_version or unsupported_extension alert during the serverside SSL handshake,
SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption. The default value is
disabled. Conversely, you can specify enabled to use this feature.

c3d-ca-cert
Specifies the name of the certificate file that is used as the certification authority certificate when
SSL client certificate constrained delegation is enabled. The certificate should be generated and
installed by you on the system. When selecting this option, type a certificate file name.

c3d-ca-key
Specifies the name of the key file that is used as the certification authority key when SSL client
certificate constrained delegation is enabled. The key should be generated and installed by you on the
system. When selecting this option, type a key file name.

c3d-ca-passphrase
Specifies the passphrase of the key file that is used as the certification authority key when SSL client
certificate constrained delegation is enabled. When selecting this option, type the passphrase
corresponding to the selected c3d-ca-key.

c3d-cert-extension-custom-oids
Specifies the custom extension OID of the client certificates to be included in the generated
certificates using SSL client certificate constrained delegation.

c3d-cert-extension-includes
Specifies the extensions of the client certificates to be included in the generated certificates using
SSL client certificate constrained delegation. For example, { basic-constraints }. The default value is {
basic-constraints extended-key-usage key-usage subject-alternative-name }. The extensions are:

basic-constraints
Basic constraints are used to indicate whether the certificate belongs to a CA.

extended-key-usage
Extended Key Usage is used, typically on a leaf certificate, to indicate the purpose of the public
key contained in the certificate.

key-usage
Key Usage provides a bitmap specifying the cryptographic operations which may be performed using the
public key contained in the certificate; for example, it could indicate that the key should be used
for signature but not for encipherment.

subject-alternative-name
Subject Alternative Name allows identities to be bound to the subject of the certificate. These
identities may be included in addition to or in place of the identity in the subject field of the
certificate.

c3d-cert-lifespan
Specifies the lifespan of the certificate generated using the SSL client certificate constrained
delegation. The default value is 24.

ca-file
Specifies the certificate authority file name. Configures certificate verification by specifying a list
of client or server CAs that the traffic management system trusts. The default value is none.

cache-size
Specifies the SSL session cache size. For client profiles only, you can configure timeout and size values
for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis. The default value is 262144.

cache-timeout
Specifies the SSL session cache timeout value, which is the usable lifetime seconds of negotiated SSL
session IDs. The default value is 3600 seconds. Acceptable values are integers greater than or equal to 0
and less than or equal to 86400.

cert Specifies the name of the certificate installed on the traffic management system for the purpose of
terminating or initiating an SSL connection. The default value is none.

chain
Specifies or builds a certificate chain file that a client can use to authenticate the profile. The
default value is none.

cipher-group
Specifies a cipher group. If the cipher group is not blank or none, the ciphers string will be used.

ciphers
Specifies a cipher name. The default value is DEFAULT.

crl Specifies the name of crl validator for validating status of server certificate. Specifying none disables
crl validation of server certificate. The default value is none.

crl-file
Specifies the certificate revocation list file name. The default value is none.

defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile specified. The default value is serverssl.

description
User defined description.

expire-cert-response-control
Specifies the BIGIP action when the server certificate has expired. The default value is drop, which
causes the connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore
the error and continue or you can specify mask in case of SSL forward proxy to mask server certificate
errors and continue with handshake and forge a good certificate on client-side.

glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.

handshake-timeout
Specifies the handshake timeout in seconds. The default value is 10.

key Specifies the key file name. Specifies the name of the key installed on the traffic management system for
the purpose of terminating or initiating an SSL connection. The default value is none.

mod-ssl-methods
Enables or disables ModSSL methods. The default value is disabled.

Enable this option when OpenSSL methods are inadequate. For example, you can enable ModSSL method
emulation when you want to use SSL compression over TLSv1.

mode Enables or disables SSL processing. The default value is enabled.

name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.

ocsp Specifies the name of ocsp profile for purpose of validating status of server certificate. Specifying
none disables ocsp validation of server certificate. The default value is none.

options
Enables options, including some industry-related workarounds. Enter options inside braces, for example, {
dont-insert-empty-fragments}. The default value is dont-insert-empty-fragments no-tlsv1.3.

dont-insert-empty-fragments
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers.
These ciphers cannot be handled by certain broken SSL implementations. This option has no effect for
connections using other ciphers.

max-active-handshakes
Specifies the maximum number allowed SSL active handshakes. The default value is 0.

no-session-resumption-on-renegotiation
When performing renegotiation as an SSL server, this option always starts a new session (that is,
session resumption requests are accepted only in the initial handshake). The system ignores this
option for server-side SSL.

gmsslv1.1
Enable GMSSLv1.1 protocol.

no-ssl
Do not use any version of the SSL protocol.

no-sslv3
Do not use the SSLv3 protocol.

no-tls
Do not use any version of the TLS protocol.

no-tlsv1
Do not use the TLSv1.0 protocol.

no-tlsv1.1
Do not use the TLSv1.1 protocol.

no-tlsv1.2
Do not use the TLSv1.2 protocol.

no-tlsv1.3
Do not use the TLSv1.3 protocol. Note that this is for future expansion. Currently TLSv1.3 has not
been implemented for server side SSL, so removing this will have no effect and log a warning
message.

no-dtls
Do not use any version of the DTLS protocol.

no-dtlsv1.0
Do not use the DTLSv1.0 protocol.

no-dtlsv1.2
Do not use the DTLSv1.2 protocol.

passive-close
Specifies how to handle passive closes.

none Disables all workarounds. Note that F5 Networks does not recommend this option.

single-dh-use
Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent
small subgroup attacks, when the DH parameters were not generated using strong primes (for example.
when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a
new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option
whenever temporary or ephemeral DH parameters are used.

tls-rollback-bug
Disables version rollback attack detection. During the client key exchange, the client must send the
same information about acceptable SSL/TLS protocol levels as it sends during the first hello. Some
clients violate this rule by adapting to the server's answer. For example, the client sends an SSLv2
hello and accepts up to SSLv3.1 (TLSv1), but the server only processes up to SSLv3. In this case,
the client must still use the same SSLv3.1 (TLSv1) announcement. Some clients step down to SSLv3
with respect to the server's answer and violate the version rollback protection. The system ignores
this option for server-side SSL.

partition
Displays the administrative partition within which the component resides.

passphrase
Specifies the key passphrase, if required. The default value is none.

peer-cert-mode
Specifies the peer certificate mode. The default value is ignore.

proxy-ssl
Enabling this option requires a corresponding client ssl profile with proxy-ssl enabled to perform
transparent SSL decryption. This feature allows further modification of application traffic within an SSL
tunnel while still allowing the server to perform necessary authorization, authentication, auditing
steps.

proxy-ssl-passthrough
Enabling this option requires a corresponding client ssl profile with proxy-ssl-passthrough enabled. This
allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is
not supported. The default option is disabled.

regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.

renegotiate-period
Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL
session. The default value is indefinite, which means that you do not want the system to renegotiate SSL
sessions.

Each time the session renegotiation is successful, a new connection is started. Therefore, the system
attempts to renegotiate the session again, in the specified amount of time following a successful session
renegotiation. For example, setting the renegotiate-period option to 3600 seconds triggers session
renegotiation at least once an hour.

renegotiate-size
Specifies a throughput size, in megabytes, of SSL renegotiation. This option forces the traffic
management system to renegotiate an SSL session based on the size, in megabytes, of application data that
is transmitted over the secure channel. The default value is indefinite, which specifies that you do not
want a throughput size.

renegotiation
Specifies whether renegotiations are enabled. The default value is enabled. When renegotiations are
disabled, the system is acting as an SSL server, and a COMPAT or NATIVE cipher is negotiated, the system
will abort the connection. Additionally, when renegotiations are disabled and the system is acting as an
SSL client, the system will ignore the server's HelloRequest messages.

retain-certificate
APM module requires storing certificate in SSL session. When set to false, certificate will not be stored
in SSL session. The default value is true.

revoked-cert-status-response-control
Specifies the BIGIP action when the server certificate status is revoked. The default value is drop,
which causes the connection to be dropped. You can specify ignore to cause the connection to ignore the
error and continue handshake. You can specify mask in case of SSL forward proxy to mask server
certificate status error and continue handshake.

generic-alert
Enables or disables generic-alert. The default option is enabled, which causes the SSL profile to use
generic alert number. Conversely, you can specify disabled to cause SSL profile to use alert number
defined in RFC5246/RFC6066 strictly.

secure-renegotiation
Specifies the secure renegotiation mode. The default value is require-strict. When secure renegotiation
is set to require, any connection to an unpatched server will be aborted. For server-ssl, there is no
difference between require and require-strict secure renegotiation. When secure renegotiation is set to
request, connections to unpatched servers will be permitted. This setting is NOT recommended however, as
it is subject to active man-in-the-middle attacks.

server-name
Specifies the server name to be included in SNI (server name indication) extension during SSL handshake
in ClientHello.

session-mirroring
Enables or disables the mirroring of sessions to high availability peer. By default, this setting is
disabled, which causes the system to not mirror ssl sessions.

session-ticket
Enables or disables session-ticket. The default option is disabled, which causes the SSL profile not to
use session ticket per RFC 5077. Conversely, you can specify enabled to cause SSL profile to use session
ticket per RFC 5077.

sni-default
When true, this profile is the default SSL profile when the server name in a client connection does not
match any configured server names, or a client connection does not specify any server name at all.

sni-require
When this option is enabled, connections to a server that does not support SNI extension will be
rejected.

ssl-c3d
Enables or disables SSL Client certificate constrained delegation. The default option is disabled.
Conversely, you can specify enabled to use the SSL client certificate constrained delegation.

ssl-forward-proxy
Enables or disables ssl-forward-proxy feature. The default option is disabled. Conversely, you can
specify enabled to use the SSL Forward Proxy Feature.

ssl-sign-hash
Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and
Certificate Verify messages for the specified SSL profiles. The default value is sha1.

ssl-forward-proxy-bypass
Enables or disables ssl-forward-proxy-bypass feature. The default option is disabled. Conversely, you can
specify enabled to use the SSL Forward Proxy Bypass Feature.

ssl-forward-proxy-verified-handshake
Specifies, when enabled, that in SSL forward proxy mode, the system should always do a TLS handshake with
the server first before doing the client handshake. When disabled, the system will do the server
handshake first only if it has not previously forged and cached the server certificate; once the server
certificate is ready, the system will always handshake first with the client. The default value is
disabled.

strict-resume
Enables or disables the resumption of SSL sessions after an unclean shutdown. The default value is
disabled, which indicates that the SSL profile refuses to resume SSL sessions after an unclean shutdown.

to-folder
server-ssl profiles can be moved to any folder under /Common, but configuration dependencies may restrict
moving the profile out of /Common.

unclean-shutdown
Specifies, when enabled, that the SSL profile performs unclean shutdowns of all SSL connections, which
means that underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If
you want to force the SSL profile to perform a clean shutdown of all SSL connections, you can disable
this option.

unknown-cert-status-response-control
Specifies the BIGIP action when the server certificate status is unknown. The default value is ignore,
which causes the connection to ignore the error and continue handshake. You can specify drop which causes
the connection to be dropped. You can specify mask in case of SSL forward proxy to mask server
certificate status error and continue handshake.

untrusted-cert-response-control
Specifies the BIGIP action when the server certificate has untrusted CA. The default value is drop, which
causes the connection to be dropped. Conversely, you can specify ignore to cause the connection to ignore
the error and continue or you can specify mask in case of SSL forward proxy to mask server certificate
errors and continue with handshake and forge a good certificate on client-side.

data-0rtt
Specifies if TLSv1.3 should send 0-RTT early data when available. The default value is disabled.

SEE ALSO
create, delete, edit, glob, list, ltm profile client-ssl, ltm virtual, modify, mv, regex, show, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

BIG-IP 2020-02-08 ltm profile server-ssl(1)