TLS_Client (object)

TLS client parameters (connections leaving ADC)

Properties (* = required):

name type(s) default allowed values description
alertTimeout   “indefinite”   Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer.
allowExpiredCRL boolean false true, false Specifies if the CRL can be used even if it has expired
authenticationFrequency string “one-time” “one-time”, “every-time” Client certificate authentication frequency
c3dCertificateAuthority string     Pointer to a Certificate class which specifies the Certificate Authority values for C3D
c3dCertificateExtensions array “basic-constraints”   Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL C3D
c3dCertificateLifespan integer 24 0 - 8760 Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation
c3dEnabled boolean false true, false Enables or disables SSL Client certificate constrained delegation (C3D). Using C3D eliminates the need for requiring users to provide credentials twice for certain authentication actions
cacheTimeout integer 3600 0 - 86400 Sets the cache timeout (in seconds)
cipherGroup object     Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.
ciphers string     Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one.
class* string   “TLS_Client”  
clientCertificate string     BIG-IP AS3 pointer to client Certificate declaration (optional)
crlFile object     Specifies the name of a file containing a list of revoked client certificates,Reference to a SSL CRL file
dataZeroRoundTripTime boolean false true, false Specifies if TLSv1.3 should send 0-RTT early data when available.
dtls1_2Enabled boolean true true, false Allows the DTLS 1.2 protocol.
dtlsEnabled boolean true true, false Allows the DTLS protocol.
forwardProxyBypassEnabled boolean false true, false Enables or disables (default) SSL forward proxy bypass
forwardProxyEnabled boolean false true, false Enables or disables (default) SSL forward proxy
handshakeTimeout   10   Specifies the handshake timeout in seconds.
ignoreExpired boolean false true, false If false (default) drop connections with expired server certificates
ignoreUntrusted boolean false true, false If false (default) drop connections with untrusted server certificates
insertEmptyFragmentsEnabled boolean false true, false Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations.
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
ldapStartTLS string   “none”, “allow”, “require” Creates a client LDAP profile with the specified activation mode STARTTLS.
proxySslEnabled boolean false true, false When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption.
proxySslPassthroughEnabled boolean false true, false When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption.
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
renegotiatePeriod   “indefinite”   Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The default value is indefinite, which means that you do not want the system to renegotiate SSL sessions.
renegotiateSize   “indefinite”   Specifies a throughput size, in megabytes, of SSL renegotiation. This option forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. The default value is indefinite, which specifies that you do not want a throughput size.
renegotiationEnabled boolean true true, false Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests.
requireSNI boolean false true, false When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client
retainCertificateEnabled boolean true true, false When enabled, server certificate is retained in SSL session.
secureRenegotiation string “require-strict” “request”, “require”, “require-strict” Specifies the secure renegotiation mode. When set to require, any connection to an unpatched server will be aborted. For TLS_Client, require and require-strict are the same. When set to request, connections to unpatched servers will be permitted. Setting to request is not recommended as it is subject to active man-in-the-middle attacks.
sendSNI string “none” “hostname” formatted string FQDN to send in SNI (optional)
serverName string “none” “hostname” formatted string FQDN which server certificate must match (optional)
sessionTickets boolean false true, false If false (default) do not use rfc5077 session tickets
singleUseDhEnabled boolean false true, false Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used.
sniDefault boolean false true, false When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. When you have two or more TLS_Server certificates but there is no sniDefault set, by default 1st certificate is set as sniDefault. Otherwise, you can manually set either one of these certificate as default by setting sniDefault = true. The default value is false
ssl3Enabled boolean true true, false Allow SSL v3 protocol
sslEnabled boolean true true, false Allow SSL protocol
sslSignHash string “any” “any”, “sha1”, “sha256”, “sha384” Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles.
tls1_0Enabled boolean true true, false Allow TLS 1.0 Ciphers.
tls1_1Enabled boolean true true, false Allow TLS 1.1 Ciphers.
tls1_2Enabled boolean true true, false Allow TLS 1.2 Ciphers.
tls1_3Enabled boolean false true, false Allow TLS 1.3 Ciphers. Note: tls1_3Enabled is only supported in tmos version 14.0+.
trustCA       CA’s trusted to validate server certificate; ‘generic’ (default) or else BIG-IP AS3 pointer to declaration of CA Bundle
uncleanShutdownEnabled boolean true true, false When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts.
validateCertificate boolean false true, false If false (default) accept any cert from server, else validate server cert against trusted CA bundle

TLS_Client.cipherGroup (object)

Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP cipher group
use string     AS3 pointer to cipher group declaration

TLS_Client.crlFile (object)

Specifies the name of a file containing a list of revoked client certificates Reference to a SSL CRL file

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP SSL CRL file