Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Understanding how BIG-IP enforces TLS requirements on HTTP/2 Profile

Rodrigo_Albuque
MVP
MVP

on ‎06-Jun-2020 23:57

Introduction

For those new to HTTP/2 profile, RFC7540 section 9.2.1 specifies TLS requirements for HTTP/2 connections.

On BIG-IP, there's an option that is enabled by default which makes BIG-IP comply with above RFC requirements:

0151T000002dlbkQAA.png

The above setting dictates whether BIG-IP should enforce TLS configuration requirements during client SSL profile configuration.

In this article, I will talk about such RFC requirements in the context of BIG-IP configuration..

BIG-IP requires Client SSL profile before adding HTTP/2 profile

BIG-IP does not allow us to add an HTTP/2 profile without adding a Client SSL profile first as HTTP/2 requires TLS:

0151T000002dlbuQAA.png

TLS Renegotiation must be disabled on Client SSL profile

The other requirement is that we must explicitly disable Renegotiation on Client SSL profile:

0151T000002dlc4QAA.png

In the above example, I first added a Client SSL profile (https-vip-client-ssl) to my virtual server (http_test) and then tried adding an HTTP/2 profile (custom_http2_profile) and it fails because TLS Renegotiation is enabled on my Client SSL profile.

After disabling TLS Renegotiation, I can now safely add my HTTP/2 profile to virtual server:

0151T000002dlc9QAA.png

TLS Cipher Enforcement and TLS Compression

Do not use any of the cipher suites from Appendix A from RFC7540:

  • Roughly all ciphers that are not ephemeral and cipher mode CBC.
  • Ephemeral ciphers such as ECDHE are allowed.
  • You don't need to worry about making any changes here because BIG-IP will proactively either select the ciphers that are compatible with HTTP/2 from Cipher list (sent by client on Client Hello message) or an error (INSUFFICIENT_SECURITY) will be triggered.
  • However, it is worth pointing out that after a profile is applied to a virtual server, we do not allow removing compatible ciphers from Cipher List as seen below:

0151T000002dlcJQAQ.png

Regarding TLS compression, we do not support it anyway so nothing to worry about.

Final Remarks

I would personally leave Enforce TLS Requirements setting enabled to both comply with RFC and for security reasons. For more details, please check the TLS requirements section in RFC.

0 Kudos
Version history
Last update:
‎06-Jun-2020 23:57
Updated by:
MVP
Contributors
Copyright © 2023 Khoros, LLC