TLS_Server (object)¶
TLS server parameters (connections arriving to ADC)
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| alertTimeout | “indefinite” | Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is ‘indefinite’. You can also specify ‘immediate’, or an integer. | ||
| allowDynamicRecordSizing | boolean | false | true, false | Enables or disables dynamic application record sizing. |
| allowExpiredCRL | boolean | false | true, false | Specifies if the CRL can be used even if it has expired |
| authenticationDepth | integer | 9 | 1 - 15 | Sets the server certificate chain maximum traversal depth. This must be 0 (infinite) or between 1 and 15 inclusive. The default value is 9 |
| authenticationFrequency | string | “one-time” | “one-time”, “every-time” | Server certificate authentication frequency |
| authenticationInviteCA | BIG-IP AS3 pointer to declaration of CA Bundle used to invite client certificates | |||
| authenticationMode | string | “ignore” | “ignore”, “request”, “require” | Client certificate authentication mode |
| authenticationTrustCA | BIG-IP AS3 pointer to declaration of CA Bundle used to validate client certificates | |||
| c3dEnabled | boolean | false | true, false | Enables or disables SSL Client Certificate Constrained Delegation (C3D). The default is false |
| c3dOCSP | object | Specifies SSL Client Certificate Constrained Delegation (C3D) OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status,Reference to a OCSP Cert Validator | ||
| c3dOCSPUnknownStatusAction | string | “drop” | “drop”, “ignore” | Specifies the BIG-IP action when the OCSP returns unknown status. The default is drop |
| cacheCertificateEnabled | boolean | false | true, false | Enables or disables (default) caching certificates by IP address and port number |
| cacheTimeout | integer | 3600 | 0 - 86400 | Sets the cache timeout (in seconds) |
| certificateExtensions | array | Specifies the extensions of the web server certificates to be included in the generated certificates using SSL Forward Proxy. | ||
| certificates* | array | Primary and (optional) additional certificates (order is significant, element 0 is primary cert) | ||
| cipherGroup | object | Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one. | ||
| ciphers | string | Ciphersuite selection string. ciphers and cipherGroup are mutually exclusive, only use one. | ||
| class* | string | “TLS_Server” | ||
| crlFile | object | Specifies the name of a file containing a list of revoked client certificates,Reference to a SSL CRL file | ||
| dataZeroRoundTripTime | string | “disabled” | “disabled”, “enabled-with-anti-replay”, “enabled-no-anti-replay” | Specifies if TLSv1.3 should accept 0-RTT with early data, with or without anti-replay. To protect against packet replay, F5 recommends that you enable anti-replay. The default value is disabled, which means TLSv1.3 will discard any early data. |
| dtls1_2Enabled | boolean | true | true, false | Allows the DTLS 1.2 protocol. |
| dtlsEnabled | boolean | true | true, false | Allows the DTLS protocol. |
| forwardProxyBypassAllowlist | object | Specifies the data group name of hostname allowlist when both SSL forwardProxyEnabled & forwardProxyBypassEnabled features are set to true.,Reference to a Data Group | ||
| forwardProxyBypassEnabled | boolean | false | true, false | Enables or disables (default) SSL forward proxy bypass |
| forwardProxyEnabled | boolean | false | true, false | Enables or disables (default) SSL forward proxy |
| handshakeTimeout | 10 | Specifies the handshake timeout in seconds. | ||
| insertEmptyFragmentsEnabled | boolean | false | true, false | Enables a countermeasure against an SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. |
| label | string | “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| ldapStartTLS | string | “none”, “allow”, “require” | Creates a client LDAP profile with the specified activation mode STARTTLS. | |
| namingScheme | string | “numbered” | “numbered”, “certificate” | Scheme to use when naming generated tmsh configuration |
| nonSslConnectionsEnabled | boolean | false | true, false | Specifies if non-SSL connections are allowed. |
| notifyCertStatusToVirtualServer | boolean | false | true, false | Specifies whether to enable certificate status to virtual server. |
| proxySslEnabled | boolean | false | true, false | When enabled, further modification of application traffic within an SSL tunnel is allowed while still allowing the server to perform necessary authorization, authentication, and auditing steps. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption. |
| proxySslPassthroughEnabled | boolean | false | true, false | When enabled, it allows Proxy SSL to passthrough the traffic when ciphersuite negotiated between the client and server is not supported. Requires a corresponding TLS_Client with this enabled to perform transparent SSL decryption. |
| remark | string | “^[^x00-x1fx22x5cx7f]*$” | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| renegotiateMaxRecordDelay | “indefinite” | Specifies the maximum number of SSL records that the traffic management system can receive before it renegotiates an SSL session. After the system receives this number of SSL records, it closes the connection. This setting applies to client profiles only. | ||
| renegotiatePeriod | “indefinite” | Specifies the number of seconds required to renegotiate an SSL session. | ||
| renegotiateSize | “indefinite” | Specifies the size of the application data, in megabytes, that is transmitted over the secure channel. If the size of the data is higher than this value, the traffic management system must renegotiate the SSL session. | ||
| renegotiationEnabled | boolean | true | true, false | Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. |
| requireSNI | boolean | false | true, false | When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client |
| retainCertificateEnabled | boolean | true | true, false | When enabled, server certificate is retained in SSL session. |
| secureRenegotiation | string | “require” | “request”, “require”, “require-strict” | Specifies the secure renegotiation mode. When set to require, any client attempting to renegotiate that does not support secure renegotiation will have its connection aborted. When set to require-strict, any client attempting to connect that does not support secure renegotiation will have its initial handshake denied. When set to request, unpatched clients will be permitted to renegotiate. Setting to request is not recommended as it is subject to active man-in-the-middle attacks. |
| singleUseDhEnabled | boolean | false | true, false | Creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but F5 Networks recommends it. Enable the Single DH Use option whenever temporary or ephemeral DH parameters are used. |
| smtpsStartTLS | string | “none”, “allow”, “require” | Creates a SMTPS profile with the specified activation mode STARTTTLS. Because HTTP profile is not compatible with SMTPS use with Service_TCP instead of Service_HTTPS. Also incompatible with ldapStartTLS. Use only one of the two. | |
| ssl3Enabled | boolean | true | true, false | Allow SSL v3 protocol |
| sslEnabled | boolean | true | true, false | Allow SSL protocol |
| sslSignHash | string | “any” | “any”, “sha1”, “sha256”, “sha384” | Specifies SSL sign hash algorithm which is used to sign and verify SSL Server Key Exchange and Certificate Verify messages for the specified SSL profiles. |
| staplerOCSPEnabled | boolean | false | true, false | Specifies whether to enable OCSP stapling |
| tls1_0Enabled | boolean | true | true, false | Allow TLS 1.0 Protocol. |
| tls1_1Enabled | boolean | true | true, false | Allow TLS 1.1 Protocol. |
| tls1_2Enabled | boolean | true | true, false | Allow TLS 1.2 Protocol. |
| tls1_3Enabled | boolean | false | true, false | Allow TLS 1.3 Protocol. Note: tls1_3Enabled is only supported in tmos version 14.0+. |
| uncleanShutdownEnabled | boolean | true | true, false | When enabled, the profile performs unclean shutdowns of all SSL connections, which means the underlying TCP connections are closed without exchanging the required SSL shutdown alerts. |
TLS_Server.c3dOCSP (object)¶
Specifies SSL Client Certificate Constrained Delegation (C3D) OCSP object that the BIG-IP SSL should use to connect to the OCSP responder and check the client certificate status Reference to a OCSP Cert Validator
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP OCSP Cert Validator | |
| use | string | BIG-IP AS3 pointer to OCSP Cert Validator declaration |
TLS_Server.cipherGroup (object)¶
Pointer to a cipherGroup. cipherGroup and ciphers are mutually exclusive, only use one.
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP cipher group | |
| use | string | AS3 pointer to cipher group declaration |
TLS_Server.crlFile (object)¶
Specifies the name of a file containing a list of revoked client certificates Reference to a SSL CRL file
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP SSL CRL file |
TLS_Server.forwardProxyBypassAllowlist (object)¶
Specifies the data group name of hostname allowlist when both SSL forwardProxyEnabled & forwardProxyBypassEnabled features are set to true. Reference to a Data Group
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| bigip | string | “f5bigip” formatted string | Pathname of existing BIG-IP Data Group | |
| use | string | AS3 pointer to Data Group declaration |