Forum Discussion
CirrusClarification of K13452 - SNI (v12)
"K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature" creates a "base client SSL profile".
Question 1: is a requirement that "fallback (default) client SSL profile" and "client SSL profiles" share the same parent profile (ie. "base client SSL profile") or is it for convenience (since "F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server")?
Question 2: in section "Configuring the virtual server for TLS SNI", it's stated: "Select the backup client SSL profile ...", is it meant to state "Select the fallback client SSL profile ..."
Unrelated question 3: in what use-cases would Client SSL's "cert-key-chain" contain more than one set (of cert/chain/key/passphrase/ocsp-stapling-params)?
Unrelated question 4: Client SSL has a read-only attribute, "inherit-certkeychain" - what is it's purpose? Is it for iRules; otherwise, won't looking at "defaults-from" and "cert-key-chain" give same information?
Thanks in advance.
6 Replies
epaalx"its" not "it's"
Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server: Ciphers Client Authentication Client Certificate Frequency Certificate Chain Traversal Depth Advertised Certificate Authorities Certificate Revocation List (CRL)(2) Should be fallback. We'll update this.
(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:
K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062
(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.
Thanks, Kevin
- epaalx
Hi Kevin, thanks for taking time to answer..
A bit of both really.
in the interest of clarity - can you please state if the following statement TRUE: "To enable SNI feature, both, the 'fallback (default) client SSL profile' and 'client SSL profiles' MUST have same parent SSL profile (aka. 'base client SSL profile') " ?
Also, it's not quite clear what activates the SNI feature on a VS - is that all (except, optionally, one) of the Client SSL profiles have
attribute set tosni-require
?true/Alex
Hi, I'm not seeing the MUST language regarding the profile:
F5 recommends that you configure a base SSL/TLS SNI profile and use this base profile as the parent profile for the SSL/TLS SNI profiles associated to the same virtual server.
The only must should be having a default profile selected.
What activates the feature is having a "server name" configured. This would be steps 3 and 4 in K13452:
-
The TLS SNI virtual server observes that the server name my.site1.com is indicated in the received ClientHello packet.
-
The TLS SNI virtual server checks its list of assigned SSL profiles and selects the SSL profile mysite1profile that has the server name my.site1.com configured.
Thanks, Kevin
-
- epaalx
Hi Kevin,
What activates the feature is having a "server name" configured.
(As per text "Beginning in BIG-IP 11.6.0, if you leave the Server Name field blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate" means that there's no requirement to define
attribute in the Client SSL profile.)server-nameDid you mean "having TLS SNI extension received in the ClientHello"?
This would be steps 3 and 4 in K13452:
So, "SNI feature" is actually always active but associated processing commences only at reception of TLS SNI extension?
