Forum Discussion
Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:
Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)
(2) Should be fallback. We'll update this.
(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:
K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062
(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.
Thanks, Kevin
Hi, I'm not seeing the MUST language regarding the profile:
F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL/TLS SNI profiles associated to the same virtual server.
The only must should be having a default profile selected.
What activates the feature is having a "server name" configured. This would be steps 3 and 4 in K13452:
-
The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.
-
The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.
Thanks, Kevin