TLS_Server (object)

TLS server parameters (connections arriving to ADC)

Properties (* = required):

name type(s) default allowed values description
alertTimeout   “indefinite”   Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer.
allowDynamicRecordSizing boolean false true, false Enables or disables dynamic application record sizing.
allowExpiredCRL boolean false true, false Specifies if the CRL can be used even if it has expired
authenticationFrequency string “one-time” “one-time”, “every-time” Client certificate authentication frequency
authenticationInviteCA       BIG-IP AS3 pointer to declaration of CA Bundle used to invite client certificates
authenticationMode string “ignore” “ignore”, “request”, “require” Client certificate authentication mode
authenticationTrustCA       BIG-IP AS3 pointer to declaration of CA Bundle used to validate client certificates
c3dEnabled boolean false true, false Enables or disables SSL Client Certificate Constrained Delegation (C3D). The default is false
c3dOCSP object     Specifies SSL Client Certificate Constrained Delegation (C3D) OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status,Reference to a OCSP Cert Validator
c3dOCSPUnknownStatusAction string “drop” “drop”, “ignore” Specifies the BIG-IP action when the OCSP returns unknown status. The default is drop
cacheCertificateEnabled boolean false true, false Enables or disables (default) caching certificates by IP address and port number
cacheTimeout integer 3600 0 - 86400 Sets the cache timeout (in seconds)
certificateExtensions array     Specifies the extensions of the web server certificates to be included in the generated certificates using SSL Forward Proxy.
certificates* array     Primary and (optional) additional certificates (order is significant, element 0 is primary cert)
cipherGroup object     Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.
ciphers string     Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one.
class* string   “TLS_Server”  
crlFile object     Specifies the name of a file containing a list of revoked client certificates,Reference to a SSL CRL file
dataZeroRoundTripTime string “disabled” “disabled”, “enabled-with-anti-replay”, “enabled-no-anti-replay” Specifies if TLSv1.3 should accept 0-RTT with early data, with or without anti-replay. To protect against packet replay, F5 recommends that you enable anti-replay. The default value is disabled, which means TLSv1.3 will discard any early data.
dtls1_2Enabled boolean true true, false Allows the DTLS 1.2 protocol.
dtlsEnabled boolean true true, false Allows the DTLS protocol.
forwardProxyBypassAllowlist object     Specifies the data group name of hostname allowlist when both SSL forwardProxyEnabled & forwardProxyBypassEnabled features are set to true.,Reference to a Data Group
forwardProxyBypassEnabled boolean false true, false Enables or disables (default) SSL forward proxy bypass
forwardProxyEnabled boolean false true, false Enables or disables (default) SSL forward proxy
insertEmptyFragmentsEnabled boolean false true, false Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations.
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
ldapStartTLS string   “none”, “allow”, “require” Creates a client LDAP profile with the specified activation mode STARTTLS.
namingScheme string “numbered” “numbered”, “certificate” Scheme to use when naming generated tmsh configuration
nonSslConnectionsEnabled boolean false true, false Specifies if non-SSL connections are allowed.
proxySslEnabled boolean false true, false When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption.
proxySslPassthroughEnabled boolean false true, false When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption.
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
renegotiateMaxRecordDelay integer 4294967295 0 - 4294967295 Specifies the maximum number of SSL records that the traffic management system can receive before it renegotiates an SSL session. After the system receives this number of SSL records, it closes the connection. This setting applies to client profiles only.
renegotiatePeriod integer 4294967295 1 - 4294967295 Specifies the number of seconds required to renegotiate an SSL session.
renegotiateSize integer 4294967295 0 - 4294967295 Specifies the size of the application data, in megabytes, that is transmitted over the secure channel. If the size of the data is higher than this value, the traffic management system must renegotiate the SSL session.
renegotiationEnabled boolean true true, false Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests.
requireSNI boolean false true, false When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client
retainCertificateEnabled boolean true true, false When enabled, server certificate is retained in SSL session.
secureRenegotiation string “require” “request”, “require”, “require-strict” Specifies the secure renegotiation mode. When set to require, any client attempting to renegotiate that does not support secure renegotiation will have its connection aborted. When set to require-strict, any client attempting to connect that does not support secure renegotiation will have its initial handshake denied. When set to request, unpatched clients will be permitted to renegotiate. Setting to request is not recommended as it is subject to active man-in-the-middle attacks.
singleUseDhEnabled boolean false true, false Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used.
smtpsStartTLS string   “none”, “allow”, “require” Creates a SMTPS profile with the specified activation mode STARTTTLS. Because HTTP profile is not compatible with SMTPS use with Service_TCP instead of Service_HTTPS. Also incompatible with ldapStartTLS. Use only one of the two.
ssl3Enabled boolean true true, false Allow SSL v3 protocol
sslEnabled boolean true true, false Allow SSL protocol
staplerOCSPEnabled boolean false true, false Specifies whether to enable OCSP stapling
tls1_0Enabled boolean true true, false Allow TLS 1.0 Protocol.
tls1_1Enabled boolean true true, false Allow TLS 1.1 Protocol.
tls1_2Enabled boolean true true, false Allow TLS 1.2 Protocol.
tls1_3Enabled boolean false true, false Allow TLS 1.3 Protocol. Note: tls1_3Enabled is only supported in tmos version 14.0+.
uncleanShutdownEnabled boolean true true, false When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts.

TLS_Server.c3dOCSP (object)

Specifies SSL Client Certificate Constrained Delegation (C3D) OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status Reference to a OCSP Cert Validator

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP OCSP Cert Validator
use string     AS3 pointer to OCSP Cert Validator declaration

TLS_Server.cipherGroup (object)

Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP cipher group
use string     AS3 pointer to cipher group declaration

TLS_Server.crlFile (object)

Specifies the name of a file containing a list of revoked client certificates Reference to a SSL CRL file

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP SSL CRL file

TLS_Server.forwardProxyBypassAllowlist (object)

Specifies the data group name of hostname allowlist when both SSL forwardProxyEnabled & forwardProxyBypassEnabled features are set to true. Reference to a Data Group

Properties (* = required):

name type(s) default allowed values description
bigip string   “f5bigip” formatted string Pathname of existing BIG-IP Data Group
use string     AS3 pointer to Data Group declaration