F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

SSL Profiles Part 1: Handshakes

This is the first in a series of tech tips on the F5 BIG-IP LTM SSL profiles.  SSL Overview and Handshake SSL Certificates Certificate Chain Implementation Cipher Suites SSL Options SSL...
Updated Mar 24, 2023
Version 2.0
LTM
security
series-the-ssl-profile
ssl
tech tip
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Apr 15, 2014
>>I have a question.... in the case where both client and server ssl profiles are enabled, do we need a certificate in the server ssl profile?

 

 

only if your server requires client certificates to negotiate SSL.

 

 

>> how does encryption/decryption happen in the following scenarios?

 

 

>> 1- there is no certificate in server ssl profile, there is certificate on the server

 

 

same as no certificate in your client with a certificate on the BIG-IP for offload.

 

 

>> 2 - there is certificate in server ssl profile, there is certificate on the server, both the certificates are same

 

 

you should not use a server certificate in a client cert role. The server ssl profile is for the BIG-IP as a client to your servers, so you should have a client cert in there.

 

 

>> 3 - there is certificate in server ssl profile, there is certificate on the server, both certificates are different.

 

 

if there is no certificate on the server, then there is no need to re-encrypt from BIG-IP to the server, and therefore no need for a server ssl profile.

 

 

Just for clarification:

 

 

Complete Offload (no ssl to server):

 

client->BIG-IP(client ssl)->server

 

 

Offload & Re-encrypt to server:

 

client->BIG-IP(client ssl)->BIG-IP(server ssl)->server