SSL::profile delays

There's a warning on https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx: "If you choose an SSL profile with a different key/cert/chain/ca-file from the SSL profile configured under the VS, the cert/key/ca-file must be reloaded, which is very time consuming (about half a second), degrading the SSL TPS performance drastically."

As this delay presumably should only happen on SSL session setup, is it really a big concern?

I've got a requirement to allow a client to present a CA-signed cert with one of a list of CNs, or a pre-defined self-signed cert. The way I've solved this is to write an irule that checks whether it's self-signed, and if it isn't checks the CN. If it passes these tests the sessions will go through to the ssl profile and the cert checked against a bundle containing the CA signers and the permitted self-signed certs.

I was wondering is it might be neater to have two client ssl profiles, one assigned to the vs, and switch to the other using SSL::profile if the appropriate condition is met.

iRules

LTM

security

Forum Discussion

SSL::profile delays

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

SSL Profiles Part 6: SSL Renegotiation

SSL Profiles

SSL Profiles Part 5: SSL Options

SSL Profiles Part 8: Client Authentication

SSL Profiles Part 7: Server Name Indication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS