Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
Feb 15, 2017

Clarification of K13452 - SNI (v12)

"K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature" creates a "base client SSL profile".

 

Question 1: is a requirement that "fallback (default) client SSL profile" and "client SSL profiles" share the same parent profile (ie. "base client SSL profile") or is it for convenience (since "F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server")?

 

Question 2: in section "Configuring the virtual server for TLS SNI", it's stated: "Select the backup client SSL profile ...", is it meant to state "Select the fallback client SSL profile ..."

 

Unrelated question 3: in what use-cases would Client SSL's "cert-key-chain" contain more than one set (of cert/chain/key/passphrase/ocsp-stapling-params)?

 

Unrelated question 4: Client SSL has a read-only attribute, "inherit-certkeychain" - what is it's purpose? Is it for iRules; otherwise, won't looking at "defaults-from" and "cert-key-chain" give same information?

 

Thanks in advance.

 

application delivery
LTM

6 Replies

Sort By
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Feb 15, 2017

    Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:

    For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:

Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)

    (2) Should be fallback. We'll update this.

    (3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:

    K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062

    (4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.

    Thanks, Kevin

    • epaalx's avatar
      epaalx
      Icon for Cirrus rankCirrus
      Feb 15, 2017

      Hi Kevin, thanks for taking time to answer..

      A bit of both really.

      in the interest of clarity - can you please state if the following statement TRUE: "To enable SNI feature, both, the 'fallback (default) client SSL profile' and 'client SSL profiles' MUST have same parent SSL profile (aka. 'base client SSL profile') " ?

      Also, it's not quite clear what activates the SNI feature on a VS - is that all (except, optionally, one) of the Client SSL profiles have 

      sni-require
      attribute set to 
      true
      ?

      /Alex

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account
      Feb 15, 2017

      Hi, I'm not seeing the MUST language regarding the profile:

       

      F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL/TLS SNI profiles associated to the same virtual server.

       

      The only must should be having a default profile selected.

       

      What activates the feature is having a "server name" configured. This would be steps 3 and 4 in K13452:

       

      1. The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.

         

      2. The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.

         

      Thanks, Kevin

       

    • epaalx's avatar
      epaalx
      Icon for Cirrus rankCirrus
      Feb 16, 2017

      Hi Kevin,

      What activates the feature is having a "server name" configured.

      (As per text "Beginning in BIG-IP 11.6.0, if you leave the Server Name field blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate" means that there's no requirement to define 

      server-name
      attribute in the Client SSL profile.)

      Did you mean "having TLS SNI extension received in the ClientHello"?

      This would be steps 3 and 4 in K13452:

      So, "SNI feature" is actually always active but associated processing commences only at reception of TLS SNI extension?