SSL profile options

Question

Can you set the nonssl option for a client SSL profile in a rule?  I'd like to be able to give a few customers a rule to use on port 0 VIPs and not have to force them to enable this option on each client SSL profile if it's not already.&nbsp;
&nbsp;Also, what is SSL::mode used for?  I see it in the ASM_clientside rule:&nbsp;
&nbsp;if {([PROFILE::exists clientssl] == 1) &amp;&amp; ([SSL::mode] == 1)}&nbsp;
&nbsp;I've also seen a reference to:&nbsp;
&nbsp;PROFILE::clientssl mode&nbsp;
&nbsp;And:&nbsp;
&nbsp;PROFILE::serverssl mode&nbsp;
&nbsp;I checked the wiki but didn't find any info on these commands. &nbsp;
&nbsp;Can someone provide more detail on these options?  What does SSL::mode indicate?  What other attributes are there for PROFILE::clientssl|serverssl?  Can the commands be used to set the values or only retrieve them?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron

hooleylist · Answer

So it looks like the nonssl option on the client SSL profile is the same as using SSL::disable in a rule.  You have to be able to determine when to disable SSL though.  &nbsp;
&nbsp;Can anyone shed light on the other questions?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron&nbsp;&nbsp;&nbsp;

tom_kivlin_9335 · Answer

Aaron,&nbsp;
&nbsp;Did you get an answer for this? I am trying to figure out PROFILE::serverssl myself and am wondering if I can get certain traffic to use a serverssl profile, with everything else not using it.&nbsp;
&nbsp;Cheers,
&nbsp;Tom.

hooleylist · Answer

Hi Tom,
You can configure a server SSL profile on the VIP and then use SSL::disable in an iRule to selectively disable the server side encryption.  Here's an example:
when HTTP_REQUEST {
    Check if request matches the criteria to disable server-side SSL
   if { [HTTP::uri] starts_with "/clear"}{
       disable SSL on the serverside context
      SSL::disable serverside
       select the http pool
      pool http_pool
   } else {
       default is to use server-side SSL and the https pool
      pool https_pool
   }
}
Aaron

tom_kivlin_9335 · Answer

Aaron,
Thanks for that, it's given me a different angle to look at. I need to find something to only use the server-side SSL on POST requests. My thoughts would be:when HTTP_REQUEST {
SSL::disable serverside
if {[HTTP::method] equals POST} {
SSL::enable serverside
                pool https_pool
}
}
Does that make sense?

hooleylist · Answer

That would work as far as the SSL goes, assuming you have the http_pool as the default pool on the virtual server.  Here's another option that works based on the idea that you have SSL enabled on the serverside by default with the server SSL profile on the virtual server:
when HTTP_REQUEST {
   if {not ([HTTP::method] equals "POST")} {
      SSL::disable serverside
      pool http_pool
   }
    default action is to use server SSL and the default https_pool on the vip
}
Aaron

Forum Discussion

SSL profile options

8 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Enforce RFC Compliance option in http profile

Modify SSL profiles via REST API

Client SSL Profile

Client vs Server SSL profile

LTM Policy Options Clarification