Understanding how BIG-IP enforces TLS requirements on HTTP/2 Profile

Introduction

For those new to HTTP/2 profile, RFC7540 section 9.2.1 specifies TLS requirements for HTTP/2 connections.

On BIG-IP, there's an option that is enabled by default which makes BIG-IP comply with above RFC requirements:

The above setting dictates whether BIG-IP should enforce TLS configuration requirements during client SSL profile configuration.

In this article, I will talk about such RFC requirements in the context of BIG-IP configuration..

BIG-IP requires Client SSL profile before adding HTTP/2 profile

BIG-IP does not allow us to add an HTTP/2 profile without adding a Client SSL profile first as HTTP/2 requires TLS:

TLS Renegotiation must be disabled on Client SSL profile

The other requirement is that we must explicitly disable Renegotiation on Client SSL profile:

In the above example, I first added a Client SSL profile (https-vip-client-ssl) to my virtual server (http_test) and then tried adding an HTTP/2 profile (custom_http2_profile) and it fails because TLS Renegotiation is enabled on my Client SSL profile.

After disabling TLS Renegotiation, I can now safely add my HTTP/2 profile to virtual server:

TLS Cipher Enforcement and TLS Compression

Do not use any of the cipher suites from Appendix A from RFC7540:

• Roughly all ciphers that are not ephemeral and cipher mode CBC.
• Ephemeral ciphers such as ECDHE are allowed.
• You don't need to worry about making any changes here because BIG-IP will proactively either select the ciphers that are compatible with HTTP/2 from Cipher list (sent by client on Client Hello message) or an error (INSUFFICIENT_SECURITY) will be triggered.
• However, it is worth pointing out that after a profile is applied to a virtual server, we do not allow removing compatible ciphers from Cipher List as seen below:

Regarding TLS compression, we do not support it anyway so nothing to worry about.

Final Remarks

I would personally leave Enforce TLS Requirements setting enabled to both comply with RFC and for security reasons. For more details, please check the TLS requirements section in RFC.