Forum Discussion
Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:
Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)
(2) Should be fallback. We'll update this.
(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:
K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062
(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.
Thanks, Kevin
- epaalxFeb 15, 2017Cirrus
Hi Kevin, thanks for taking time to answer..
A bit of both really.
in the interest of clarity - can you please state if the following statement TRUE: "To enable SNI feature, both, the 'fallback (default) client SSL profile' and 'client SSL profiles' MUST have same parent SSL profile (aka. 'base client SSL profile') " ?
Also, it's not quite clear what activates the SNI feature on a VS - is that all (except, optionally, one) of the Client SSL profiles have
attribute set tosni-require
?true
/Alex
- Kevin_K_51432Feb 15, 2017Historic F5 Account
Hi, I'm not seeing the MUST language regarding the profile:
F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL/TLS SNI profiles associated to the same virtual server.
The only must should be having a default profile selected.
What activates the feature is having a "server name" configured. This would be steps 3 and 4 in K13452:
-
The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.
-
The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.
Thanks, Kevin
-
- epaalxFeb 16, 2017Cirrus
Hi Kevin,
What activates the feature is having a "server name" configured.
(As per text "Beginning in BIG-IP 11.6.0, if you leave the Server Name field blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate" means that there's no requirement to define
attribute in the Client SSL profile.)server-name
Did you mean "having TLS SNI extension received in the ClientHello"?
This would be steps 3 and 4 in K13452:
So, "SNI feature" is actually always active but associated processing commences only at reception of TLS SNI extension?
- Kevin_K_51432Feb 16, 2017Historic F5 Account
Greetings, (1) Yes, with the TLS SNI extension present in the clientHello.
(2) I'm really not 100% on this. My guess is the code would activate SNI when detecting a server name value in the profile.
Sorry I don't have more info than that.
Kevin