Forum Discussion
Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:
Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)
(2) Should be fallback. We'll update this.
(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:
K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062
(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.
Thanks, Kevin
Hi Kevin, thanks for taking time to answer..
A bit of both really.
in the interest of clarity - can you please state if the following statement TRUE: "To enable SNI feature, both, the 'fallback (default) client SSL profile' and 'client SSL profiles' MUST have same parent SSL profile (aka. 'base client SSL profile') " ?
Also, it's not quite clear what activates the SNI feature on a VS - is that all (except, optionally, one) of the Client SSL profiles have
sni-require
attribute set to true
?
/Alex