TLS_Client (object)¶
TLS client parameters (connections leaving ADC)
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| alertTimeout | “indefinite” | Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer. | ||
| allowExpiredCRL | boolean | false | true, false | Specifies if the CRL can be used even if it has expired |
| authenticationDepth | integer | 9 | 1 - 15 | Sets the client certificate chain maximum traversal depth. This must be 0 (infinite) or between 1 and 15 inclusive. The default value is 9 |
| authenticationFrequency | string | “one-time” | “one-time”, “every-time” | Client certificate authentication frequency |
| c3dCertificateAuthority | string | Pointer to a Certificate class which specifies the Certificate Authority values for C3D | ||
| c3dCertificateExtensions | array | “basic-constraints” | Specifies the custom extension OID of the client certificates to be included in the generated certificates using SSL C3D | |
| c3dCertificateLifespan | integer | 24 | 0 - 8760 | Specifies the lifespan of the certificate generated using the SSL client certificate constrained delegation |
| c3dEnabled | boolean | false | true, false | Enables or disables SSL Client certificate constrained delegation (C3D). Using C3D eliminates the need for requiring users to provide credentials twice for certain authentication actions |
| cacheTimeout | integer | 3600 | 0 - 86400 | Sets the cache timeout (in seconds) |
| cipherGroup | object | Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one. | ||
| ciphers | string | Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one. | ||
| class* | string | “TLS_Client” | ||
| clientCertificate | string | BIG-IP AS3 pointer to client Certificate declaration (optional) | ||
| crlFile | object | Specifies the name of a file containing a list of revoked client certificates,Reference to a SSL CRL file | ||
| dataZeroRoundTripTime | boolean | false | true, false | Specifies if TLSv1.3 should send 0-RTT early data when available. |
| dtls1_2Enabled | boolean | true | true, false | Allows the DTLS 1.2 protocol. |
| dtlsEnabled | boolean | true | true, false | Allows the DTLS protocol. |
| forwardProxyBypassEnabled | boolean | false | true, false | Enables or disables (default) SSL forward proxy bypass |
| forwardProxyEnabled | boolean | false | true, false | Enables or disables (default) SSL forward proxy |
| handshakeTimeout | 10 | Specifies the handshake timeout in seconds. | ||
| ignoreExpired | boolean | false | true, false | If false (default) drop connections with expired server certificates |
| ignoreUntrusted | boolean | false | true, false | If false (default) drop connections with untrusted server certificates |
| insertEmptyFragmentsEnabled | boolean | false | true, false | Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. |
| label | string | “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ldapStartTLS | string | “none”, “allow”, “require” | Creates a client LDAP profile with the specified activation mode STARTTLS. | |
| proxySslEnabled | boolean | false | true, false | When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption. |
| proxySslPassthroughEnabled | boolean | false | true, false | When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Server with this enabled to perform transparent SSL decryption. |
| remark | string | “^[^x00-x1fx22x5cx7f]*$” | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| renegotiatePeriod | “indefinite” | Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The default value is indefinite, which means that you do not want the system to renegotiate SSL sessions. | ||
| renegotiateSize | “indefinite” | Specifies a throughput size, in megabytes, of SSL renegotiation. This option forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. The default value is indefinite, which specifies that you do not want a throughput size. | ||
| renegotiationEnabled | boolean | true | true, false | Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. |
| requireSNI | boolean | false | true, false | When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client |
| retainCertificateEnabled | boolean | true | true, false | When enabled, server certificate is retained in SSL session. |
| secureRenegotiation | string | “require-strict” | “request”, “require”, “require-strict” | Specifies the secure renegotiation mode. When set to require, any connection to an unpatched server will be aborted. For TLS_Client, require and require-strict are the same. When set to request, connections to unpatched servers will be permitted. Setting to request is not recommended as it is subject to active man-in-the-middle attacks. |
| sendSNI | string | “none” | “hostname” formatted string | FQDN to send in SNI (optional) |
| serverName | string | “none” | “hostname” formatted string | FQDN which server certificate must match (optional) |
| sessionTickets | boolean | false | true, false | If false (default) do not use rfc5077 session tickets |
| singleUseDhEnabled | boolean | false | true, false | Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used. |
| sniDefault | boolean | false | true, false | When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. When you have two or more TLS_Server certificates but there is no sniDefault set, by default 1st certificate is set as sniDefault. Otherwise, you can manually set either one of these certificate as default by setting sniDefault = true. The default value is false |
| ssl3Enabled | boolean | true | true, false | Allow SSL v3 protocol |
| sslEnabled | boolean | true | true, false | Allow SSL protocol |
| sslSignHash | string | “any” | “any”, “sha1”, “sha256”, “sha384” | Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
| tls1_0Enabled | boolean | true | true, false | Allow TLS 1.0 Ciphers. |
| tls1_1Enabled | boolean | true | true, false | Allow TLS 1.1 Ciphers. |
| tls1_2Enabled | boolean | true | true, false | Allow TLS 1.2 Ciphers. |
| tls1_3Enabled | boolean | false | true, false | Allow TLS 1.3 Ciphers. Note: tls1_3Enabled is only supported in tmos version 14.0+. |
| trustCA | CA’s trusted to validate server certificate; ‘generic’ (default) or else BIG-IP AS3 pointer to declaration of CA Bundle | |||
| uncleanShutdownEnabled | boolean | true | true, false | When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts. |
| validateCertificate | boolean | false | true, false | If false (default) accept any cert from server, else validate server cert against trusted CA bundle |
TLS_Client.cipherGroup (object)¶
Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP cipher group | |
| use | string | AS3 pointer to cipher group declaration |
TLS_Client.crlFile (object)¶
Specifies the name of a file containing a list of revoked client certificates Reference to a SSL CRL file
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP SSL CRL file |