Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
Feb 15, 2017

Clarification of K13452 - SNI (v12)

"K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature" creates a "base client SSL profile".   Question 1: is a requirement that "fallback...
application delivery
LTM
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Feb 15, 2017

Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:

For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:

Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)

(2) Should be fallback. We'll update this.

(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:

K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062

(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.

Thanks, Kevin

  • epaalx's avatar
    epaalx
    Icon for Cirrus rankCirrus
    Feb 15, 2017

    Hi Kevin, thanks for taking time to answer..

    A bit of both really.

    in the interest of clarity - can you please state if the following statement TRUE: "To enable SNI feature, both, the 'fallback (default) client SSL profile' and 'client SSL profiles' MUST have same parent SSL profile (aka. 'base client SSL profile') " ?

    Also, it's not quite clear what activates the SNI feature on a VS - is that all (except, optionally, one) of the Client SSL profiles have 

    sni-require
    attribute set to 
    true
    ?

    /Alex

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Feb 15, 2017

    Hi, I'm not seeing the MUST language regarding the profile:

     

    F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL/TLS SNI profiles associated to the same virtual server.

     

    The only must should be having a default profile selected.

     

    What activates the feature is having a "server name" configured. This would be steps 3 and 4 in K13452:

     

    1. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.

       

    2. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.

       

    Thanks, Kevin

     

  • epaalx's avatar
    epaalx
    Icon for Cirrus rankCirrus
    Feb 16, 2017

    Hi Kevin,

    What activates the feature is having a "server name" configured.

    (As per text "Beginning in BIG-IP 11.6.0, if you leave the Server Name field blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate" means that there's no requirement to define 

    server-name
    attribute in the Client SSL profile.)

    Did you mean "having TLS SNI extension received in the ClientHello"?

    This would be steps 3 and 4 in K13452:

    So, "SNI feature" is actually always active but associated processing commences only at reception of TLS SNI extension?

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Feb 16, 2017

    Greetings, (1) Yes, with the TLS SNI extension present in the clientHello.

     

    (2) I'm really not 100% on this. My guess is the code would activate SNI when detecting a server name value in the profile.

     

    Sorry I don't have more info than that.

     

    Kevin