Forum Discussion
Greetings, (1) A bit of both really. There are a number of options that must match on all of the profiles. So this seems the easiest way to ensure your profiles don't deviate. From the article:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:
Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)
(2) Should be fallback. We'll update this.
(3) Some newer SSL algorithms require a different key type. So the BIG-IP may support the cipher in the SSL stack, but must also have the appropriate key type for that algorithm. A bit more detail:
K15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/csp/article/K15062
(4) I haven't used the feature and there seems no help available so far. If something comes up, I'll update the post.
Thanks, Kevin
Hi Kevin,
What activates the feature is having a "server name" configured.
(As per text "Beginning in BIG-IP 11.6.0, if you leave the Server Name field blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate" means that there's no requirement to define
server-name
attribute in the Client SSL profile.)
Did you mean "having TLS SNI extension received in the ClientHello"?
This would be steps 3 and 4 in K13452:
So, "SNI feature" is actually always active but associated processing commences only at reception of TLS SNI extension?