SSL profile options

Question

Can you set the nonssl option for a client SSL profile in a rule?  I'd like to be able to give a few customers a rule to use on port 0 VIPs and not have to force them to enable this option on each client SSL profile if it's not already.&nbsp;
&nbsp;Also, what is SSL::mode used for?  I see it in the ASM_clientside rule:&nbsp;
&nbsp;if {([PROFILE::exists clientssl] == 1) &amp;&amp; ([SSL::mode] == 1)}&nbsp;
&nbsp;I've also seen a reference to:&nbsp;
&nbsp;PROFILE::clientssl mode&nbsp;
&nbsp;And:&nbsp;
&nbsp;PROFILE::serverssl mode&nbsp;
&nbsp;I checked the wiki but didn't find any info on these commands. &nbsp;
&nbsp;Can someone provide more detail on these options?  What does SSL::mode indicate?  What other attributes are there for PROFILE::clientssl|serverssl?  Can the commands be used to set the values or only retrieve them?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron

hoolio · Answer

So it looks like the nonssl option on the client SSL profile is the same as using SSL::disable in a rule.  You have to be able to determine when to disable SSL though.  &nbsp;
&nbsp;Can anyone shed light on the other questions?&nbsp;
&nbsp;Thanks,
&nbsp;Aaron&nbsp;&nbsp;&nbsp;

tom_kivlin_9335 · Answer

Aaron,&nbsp;
&nbsp;Did you get an answer for this? I am trying to figure out PROFILE::serverssl myself and am wondering if I can get certain traffic to use a serverssl profile, with everything else not using it.&nbsp;
&nbsp;Cheers,
&nbsp;Tom.

hoolio · Answer

Hi Tom,
You can configure a server SSL profile on the VIP and then use SSL::disable in an iRule to selectively disable the server side encryption.  Here's an example:
when HTTP_REQUEST {
    Check if request matches the criteria to disable server-side SSL
   if { [HTTP::uri] starts_with "/clear"}{
       disable SSL on the serverside context
      SSL::disable serverside
       select the http pool
      pool http_pool
   } else {
       default is to use server-side SSL and the https pool
      pool https_pool
   }
}
Aaron

tom_kivlin_9335 · Answer

Aaron,
Thanks for that, it's given me a different angle to look at. I need to find something to only use the server-side SSL on POST requests. My thoughts would be:when HTTP_REQUEST {
SSL::disable serverside
if {[HTTP::method] equals POST} {
SSL::enable serverside
                pool https_pool
}
}
Does that make sense?

hoolio · Answer

That would work as far as the SSL goes, assuming you have the http_pool as the default pool on the virtual server.  Here's another option that works based on the idea that you have SSL enabled on the serverside by default with the server SSL profile on the virtual server:
when HTTP_REQUEST {
   if {not ([HTTP::method] equals "POST")} {
      SSL::disable serverside
      pool http_pool
   }
    default action is to use server SSL and the default https_pool on the vip
}
Aaron

Forum Discussion

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Related Content

SSL Profiles Part 5: SSL Options

F5 BIG-IP Advanced WAF – DOS profile configuration options.

SSL Profiles Part 6: SSL Renegotiation

Understanding the Authenticate Name Option on Server SSL profile on BIG-IP

SSL Profiles Part 8: Client Authentication