Applies To:

Show Versions Show Versions

Manual Chapter: Managing SSL Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
BIG-IP® Local Traffic ManagerTM offers several features that you can use to intelligently control your SSL traffic. Some of the SSL traffic-management features are:
The ability to authenticate clients and servers to maintain secure connections between a client system and the BIG-IP system, and between the BIG-IP system and a target web server
The primary way that you can control SSL network traffic is by configuring a Client or Server SSL profile. A Client profile is a type of traffic profile that enables the BIG-IP system to accept and terminate any client requests that are sent by way of a fully SSL-encapsulated protocol. The BIG-IP system supports SSL for both TCP and UDP protocols.
A Server profile is a type of profile that enables the BIG-IP system to initiate secure connections to a target web server.
Configure a profile, and then associate that profile with a virtual server. You configure a profile using the Configuration utility.
Client-side traffic refers to connections between a client system and the BIG-IP system. Server-side traffic refers to connections between the BIG-IP system and a target server system:
Managing client-side SSL traffic
When you enable the BIG-IP system to manage client-side SSL traffic, the BIG-IP system terminates incoming SSL connections by decrypting the client request. The BIG-IP system then sends the request, in clear text, to a target server. Next, the BIG-IP system retrieves a clear-text response (such as a web page) and encrypts the request, before sending the web page back to the client. During the process of terminating an SSL connection, the BIG-IP system can, as an option, perform all of the SSL certificate verification functions normally handled by the target web server. For information on configuring a client-side SSL profile, see Configuring SSL profile settings.
Managing server-side SSL traffic
When you enable the BIG-IP system to manage server-side SSL traffic, the BIG-IP system enhances the security of your network by re-encrypting a decrypted request before sending it on to a target server. In addition to this re-encryption, the BIG-IP system can, as an option, perform the same verification functions for server certificates that the BIG-IP system can for client certificates. For information on configuring a server-side SSL profile, see Configuring SSL profile settings.
The BIG-IP system can check to see if a certificate being presented by a client or server has been revoked. A revoked client certificate indicates to the BIG-IP system that the system should fail to authenticate the client.
The BIG-IP system supports two industry-standard methods for checking the revocation status of a certificate. These two methods are:
Certificate revocation lists (CRLs).
CRLs are a method that the BIG-IP system can use to check on whether a certificate being presented to the BIG-IP system has been revoked. This CRL support is in the form of a CRL file and a CRL path. The BIG-IP system enables you to configure one CRL file and path for the client-side profile, and one CRL file and path for the server-side profile. You configure the use of CRLs through an SSL profile. For more information, see Configuring client and server authentication settings.
Online Certificate Status Protocol (OCSP)
Unlike the use of CRLs, OCSP ensures that the revocation status of a certificate is always up-to-date. You configure OCSP through an Authentication profile. For more information, see Chapter 11, Authenticating Application Traffic Using a Remote Server.
This section describes the settings that appear in the Configuration section of a Client SSL Profile or Server SSL Profile screen. For information on configuring the other SSL profile settings, see Configuring client and server authentication settings.
Table 10.1 shows the settings you can configure for a Client SSL or Server SSL profile. For those settings that have default values, you can retain those default settings or modify them. Following this table are descriptions of these settings.
Note: In addition to configuring an SSL profile, you must also configure a TCP or UDP profile. For information configuring TCP and UDP profiles, see Chapter 8, Managing Protocol Profiles.
Specifies the name of the certificate installed on the BIG-IP system for the purpose of terminating or initiating an SSL connection.
default (Client)
default (Server)
Specifies the name of the key installed on the BIG-IP system for the purpose of terminating or initiating an SSL connection.
default (Client)
default (Server)
Specifies the value All Bugfixes Enabled, which enables a set of industry-related miscellaneous workarounds related to SSL processing. For more information, see Configuring workarounds.
Specifies the timeout value in seconds of the SSL session cache entries. If you specify Indefinite, SSL cache entries do not expire.
Specifies the duration in seconds that the BIG-IP system waits while trying to close an SSL connection, before the connection is reset.
Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests.
Specifies the number of seconds from the initial connect time that the system renegotiates an SSL session.
Note: The Renegotiate Max Record Delay attribute applies to client-side profiles only.
Configures the BIG-IP system to enable or disable the resumption of SSL sessions after an unclean shutdown.
Allows or disallows non-SSL connections to pass through the traffic management system, in clear-text format.
To create an SSL profile, you must specify a unique name for the profile. The Name setting is the only setting that you must actively specify when creating an SSL profile; all other settings have default values.
Every profile that you create is derived from a parent profile. Using the Parent Profile setting, you can configure the default SSL profile as the parent profile, or you can configure another SSL profile that you have already created.
The value of the Certificate setting is the name of the certificate that you installed on the BIG-IP system for the purpose of authenticating client-side or server-side SSL connections. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, you can specify the name of an existing certificate, default. For more information on certificates, see Configuring certificate revocation.
The value of the Key setting is the name of the key that you installed on the BIG-IP system for the purpose of authenticating either client-side or server-side SSL connections. If you have not generated a key request nor installed a key on the BIG-IP system, you can specify the name of an existing key, default.
With the Pass Phrase and Confirm Pass Phrase settings, you can specify a string that enables access to the SSL certificate/key pair. This feature is optional. You can access these settings by locating the Configuration list and selecting Advanced.
For added security, when you use these settings, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP system users, so there is no need to enable it.
Note that the length of an encrypted pass phrase exceeds the length of the unencrypted pass phrase. An example of an encrypted pass phrase is MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6.
In any client verification process, not only does the BIG-IP system need to authenticate the client, but the client might need to authenticate the BIG-IP system. However, a certificate that the BIG-IP system uses to authenticate itself to a client is sometimes signed by an intermediate CA that is not trusted by that client. In this case, the BIG-IP system might need to use a certificate chain. The profile enables you to specify the name of a specific certificate chain file. Note that the certificate files that make up the chain file must be in PEM format.
When you configure the Chain setting, the possible values are None, ca-bundle, and default.
For client-side SSL processing, you can configure an SSL profile to verify certificates presented by a client or a server. Using the Trusted Certificate Authorities setting, you can specify a client trusted CAs file name, which the BIG-IP system then uses to verify client or server certificates. If you do not configure a trusted CAs file, the profile uses a default file.
The trusted CAs file that you specify for certificate verification contains one or more certificates, in Privacy Enhanced Mail (PEM) format. Built manually, this file contains a list of the client or server certificates that the SSL profile will trust. If you do not specify a trusted CAs file, or the specified trusted CAs file is not accessible to the BIG-IP system, the system uses the default file name.
When you configure the Trusted Certificate Authorities setting, the possible values are None, ca-bundle, and default.
For each SSL profile, you can specify the ciphers available for SSL connections. When configuring ciphers, you must ensure that the ciphers configured for the SSL profile match those of the client sending a request, or of the server sending a response.
For example, a client might connect to and successfully establish an SSL connection to an SSL profile that is configured to use both client-side and server-side SSL. After the client sends additional data (such as an HTTP request), the SSL profile attempts to establish an SSL connection to a server. However, the SSL profile might be configured to enable only 3DES ciphers for server-side SSL, and the servers might be configured to accept only RC4 ciphers. In this case, the SSL handshake between the SSL profile and the server fails because there are no common ciphers enabled. This results in the client connection being closed. If the client is using a browser, the user is likely to receive an error message indicating that the web page failed to load.
Table 10.2 lists the ciphers included in the cipher string DEFAULT, for both the Client SSL and Server SSL profiles:
Tip: In addition to specifying ciphers in an SSL profile, you can insert cipher specifications into the header of an HTTP request and then direct traffic based on those ciphers. For more information, see the web site http://devcentral.f5.com.
OpenSSL supports a set of defect workarounds and SSL options. You can enable these workarounds and options as settings of an individual client-side or server-side SSL profile. The default value for the Options setting is Options List. Retaining the default value enables one option, which is Dont insert empty fragments.
Table 10.3 lists and describes the possible workarounds and options that you can configure for an SSL profile.
This option enables all of the defect workarounds that this table describes. It is usually safe to use the All Bugfixes Enabled option to enable the defect workaround options when you want compatibility with broken implementations.
When the BIG-IP system chooses a cipher, this option uses the server's preferences instead of the client preferences. When this option is not set, the SSL server always follows the clients preferences. When this option is set, the SSLv3/TLSv1 server chooses by using its own preferences. Due to the different protocol, for SSLv2 the server sends its list of preferences to the client, and the client always chooses the cipher.
This option disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. This option has no effect for connections using other ciphers. This is the default value for the Enabled Options list.
This option uses ephemeral (temporary) RSA keys when doing RSA operations. According to the specifications, this is only done when an RSA key can only be used for signature operations (namely under export ciphers with restricted RSA key length). By setting this option, the BIG-IP system always uses ephemeral RSA keys. This option breaks compatibility with the SSL/TLS specifications and can lead to interoperability problems with clients, and we therefore do not recommend it. You should use ciphers with EDH (ephemeral Diffie-Hellman) key exchange instead. This option is ignored for server-side SSL.
This option handles a Microsoft® session ID problem.
This option handles a defect regarding system instability. If the system accepts a Netscape® browser connection, demands a client cert, has a non-self-signed CA that does not have its CA in Netscape, and the browser has a certificate, then the system crashes or hangs.
This option deliberately manipulates the SSL server session resumption behavior to mimic that of certain Netscape servers (see the Netscape reuse cipher change bug workaround description). We do not recommend this option for normal use and it is ignored for server-side SSL processing.
This option handles a defect within Netscape-Enterprise/2.01, only appearing when connecting through SSLv2/v3 then reconnecting through SSLv3. In this case, the cipher list changes.
First, a connection is established with the RC4-MD5 cipher list. If it is then resumed, the connection switches to using the DES-CBC3-SHA cipher list. However, according to RFC 2246, (section 7.4.1.3, cipher_suite) the cipher list should remain RC4-MD5.
As a workaround, you can attempt to connect with a cipher list of DES-CBC-SHA:RC4-MD5 and so on. For some reason, each new connection uses the RC4-MD5 cipher list, but any re-connect ion attempts to use the DES-CBC-SHA cipher list. Thus Netscape, when reconnecting, always uses the first cipher in the cipher list.
When the BIG-IP system performs renegotiation as an SSL server, this option always starts a new session (that is, session resumption requests are only accepted in the initial handshake). The system ignores this option for server-side SSL processing.
This option enables a workaround for communicating with older Microsoft® applications that use non-standard SSL record sizes.
This option enables a workaround for communicating with older Microsoft® applications that use non-standard RSA key padding. This option is ignored for server-side SSL.
When set to Default, this option enables the All Bugfixes Enabled option. When set to None, this option disables all workarounds. We do not recommend setting this option to None.
This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. We do not recommend this option for normal use. The system ignores this option for client-side SSL processing.
This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. We do not recommend this option for normal use. The system ignores this option for client-side SSL processing.
This option creates a new key when using temporary/ephemeral DH parameters. You must use this option if you want to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example, when using DSA-parameters). If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but we do recommend this. You should enable the Single DH use option whenever temporary/ephemeral DH parameters are used.
This option enables a workaround for communicating with older SSLeay-based applications that specify an incorrect Diffie-Hellman public value length. This option is ignored for server-side SSL.
This option is a workaround for communicating with older TLSv1-enabled applications that specify an incorrect encrypted RSA key length. This option is ignored for server-side SSL.
This option enables a workaround for communicating with older TLSv1-enabled applications that use incorrect block padding.
This option disables version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as it sends during the first hello. Some clients violate this rule by adapting to the server's answer. For example, the client sends an SSLv2 hello and accepts up to SSLv3.1 (TLSv1), but the server only understands up to SSLv3. In this case, the client must still use the same SSLv3.1 (TLSv1) announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection. This option is ignored for server-side SSL.
Note that when configuring protocol versions, you must ensure that the protocol versions configured for the BIG-IP system match those of the systems peer. That is, protocol versions specified in the client-side SSL profile must match those of the client, and protocol versions specified in the server-side SSL profile must match those of the server. Thus, for both client-side and server-side SSL connections, you can specify the protocol versions that you do not want the BIG-IP system to allow.
You can declare up to two of the three protocol versions to be invalid: SSLv2, SSLv3, and TLSv1. If no protocol versions are specified, the BIG-IP system allows all SSL protocol versions.
To specify workaround options, locate the Options setting and verify that the it is set to Options List (the default value). From the Options List setting, select any of the options you wish to configure, and click the Enable button. When you are finished configuring the SSL profile, click the Finished button.
When you enable the ModSSL Methods setting, you can then write an iRule, using the HTTP::header insert_modssl_fields command, which inserts some of the ModSSL options as headers into HTTP requests. The options that you can insert into an HTTP request are listed in Table 10.4.
The status of the client certificate. The value of [status] can be NoClientCert, OK, or Error. If status is NoClientCert, only this header is inserted into the request. If status is Error, the error is followed by a numeric error code.
SSLClientCertNotValidBefore: [before]
SSLClientCertNotValidAfter: [after]
The validity dates for the certificate. The certificate is not valid before or after the dates represented by [before] and [after], respectively.
The type of public key type. The allowed types are RSA ([size] bit), DSA, or Unknown public key.
MD5 hash of the certificate
You can configure timeout and size values for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-profile basis.
Using the Configuration utility, you can specify the maximum size of the SSL session cache. The default value for the size of the SSL session cache is 20,000 entries. A value of 0 disallows session caching.
You configure the values for the maximum size of the session cache on a per-profile basis. To specify an SSL session cache size, locate the Cache Size setting and retain the default cache-size value or type a new value.
Using the Configuration utility, you can specify the number of usable lifetime seconds of negotiated SSL session IDs. The default timeout value for the SSL session cache is 3600 seconds. If you specify a timeout value, valid values are integers greater than or equal to 1.
Warning: If the timeout value for the client-side SSL session cache is set to zero, the SSL session IDs negotiated with that profiles clients remain in the session cache until the cache is filled and the purging of entries begins. Setting a value of zero can introduce a significant security risk if valuable resources are available to a client that is reusing those session IDs. It is therefore common practice to set the SSL session cache timeout to a length of time no greater than 24 hours, and for significantly shorter periods.
To specify an SSL session cache timeout, locate the Cache Timeout setting, and retain the default value or, from the list, select Specify or Indefinite. If you select Specify, type a value. Selecting Indefinite prevents SSL session cache entries from expiring.
The Alert Timeout setting specifies the duration in seconds that the BIG-IP system waits while trying to close an SSL connection, before the connection is reset. The default timeout value for this setting is 60 seconds. To specify an alert timeout, locate the Alert Timeout setting, and retain the default value or, from the list, select Specify or Indefinite. If you select Specify, type a value.
The Handshake Timeout setting specifies the amount of time in seconds that the BIG-IP system spends attempting to perform an SSL handshake. The default timeout value for this setting is 60 seconds. To specify an alert timeout, locate the Handshake Timeout setting, and retain the default value or, from the list, select Specify or Indefinite. If you select Specify, type a value.
Long-lived connections are susceptible to man-in-the-middle attacks. To prevent such attacks, you can force the BIG-IP system to renegotiate SSL sessions, based on either time period or application size. You can also force the BIG-IP system to terminate an SSL session after receiving a specified number of records.
The Renegotiation setting controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default value is Disabled.
The Renegotiate Period setting specifies the number of seconds from the initial connect time that the system renegotiates an SSL session. The options are a number you specify, indefinite, and default. The default is indefinite, meaning that you do not want the system to renegotiate SSL sessions. Each time the session renegotiation is successful, essentially a new connection is started. Therefore, the system attempts to renegotiate the session again in the specified amount of time following the successful session renegotiation. For example, setting the renegotiate period to 3600 seconds triggers session renegotiation at least once an hour.
To specify a renegotiation period, locate the Renegotiate Period setting and retain the default value, or select Specify. If selecting Specify, type a value.
The Renegotiate Size setting forces the BIG-IP system to renegotiate an SSL session after the specified number of megabytes of application data have been transmitted over the secure channel. The default value for this setting is Indefinite.
To specify a renegotiation size, locate the Renegotiate Size setting and retain the default value, or type a new value.
Specifying the maximum record delay
While the BIG-IP system waits for the client to initiate a renegotiation, the Renegotiate Max Record Delay setting forces the BIG-IP system to terminate an SSL session after receiving the specified maximum number of SSL records. If the BIG-IP system receives more than the maximum number of SSL records, it closes the connection. The default value for this setting, in seconds, is 10.
To specify a maximum record delay, locate the Renegotiate Max Record Delay setting and retain the default value or type a new value.
With respect to the shutdown of SSL connections, you can configure two settings on the BIG-IP system: Unclean Shutdown and Strict Resume.
In an unclean shutdown, underlying TCP connections are closed without exchanging the required SSL shutdown alerts. However, you use the Unclean Shutdown setting to disable unclean shutdowns and thus force the SSL profile to perform a clean shutdown of all SSL connections by configuring this setting.
This feature is especially useful with respect to the Internet Explorer browser. Different versions of the browser, and even different builds within the same version of the browser, handle shutdown alerts differently. Some versions or builds require shutdown alerts from the server, while others do not, and the SSL profile cannot always detect this requirement or lack of it. In the case where the browser expects a shutdown alert but the SSL profile has not exchanged one (the default setting), the browser displays an error message.
By default, this setting is enabled, which means that the BIG-IP system performs unclean shutdowns of all SSL connections. To disable unclean shutdowns, locate the Unclean Shutdown setting and clear the check box.
Using the Strict Resume setting, you can configure the BIG-IP system to discontinue an SSL session after an unclean shutdown. By default, this setting is disabled, which causes the BIG-IP system to resume SSL sessions after an unclean shutdown. If you enable this setting, the BIG-IP system does not resume SSL sessions after an unclean shutdown.
Using the Non-SSL Connections setting, you can configure the BIG-IP system to accept connections that are not SSL connections. In this case, connections pass through the BIG-IP system in clear-text format. By default, this setting is disabled.
This section describes the settings that appear in the Client Authentication section of a Client SSL Profile screen, or the Server Authentication section of a Server SSL Profile screen. For information on configuring the other SSL profile settings, see Configuring SSL profile settings.
Table 10.5 lists and describes the authentication settings of a Client or Server SSL profile. For those settings that have default values, you can retain those default settings or modify them. Following this table are descriptions of the settings.
Configures the SSL profile to either request, require, or ignore certificates presented by a client or a server.
Specifies whether the profile should authenticate a client once per session, or once per session and upon each subsequent re-use of an SSL session. For more information, see Configuring per-session authentication.
Note: This setting only appears when you set the Client Certificate setting to Request, Require, or Auto, or when when you set the Server Certificate setting to Require.
Specifies the maximum number of certificates that can be traversed in a client certificate chain. For more information, see Configuring authentication depth.
Note: This setting only appears when you set the Client Certificate setting to Request, Require, or Auto, or when when you set the Server Certificate setting to Require.
Specifies the CAs that you would like to advertise to clients as being trusted by the profile. For more information, see Advertising a list of trusted client CAs. This attribute applies to client-side profiles only.
Note: This setting only appears when you set the Client Certificate setting to Request, Require, or Auto.
Authenticates a target server based on the Common Name (CN) embedded in a server certificate. For more information, see Configuring name-based authentication. This attribute applies to server-side profiles only.
Note: This setting only appears when you set the Server Certificate setting to Require.
Configures certificate revocation by maintaining a list of revoked client certificates. For more information, see Certificate revocation.
Note: This setting only appears when you set the Client Certificate setting to Request, Require, or Auto, or when when you set the Server Certificate setting to Require.
By configuring the Client Certificate or Server Certificate setting, you can cause the BIG-IP system to handle authentication of clients or servers in certain ways.
Request
Request and verify a client certificate. In this case, the SSL profile always grants access regardless of the status or absence of the certificate.
Require
Require a client to present a valid and trusted certificate before granting access.
Ignore
Ignore a certificate (or lack of one) and therefore never authenticate the client. The ignore setting is the default setting, and when used, causes any per-session authentication setting to be ignored. For information on configuring per-session authentication, see Configuring per-session authentication.
Auto
Ignore a client certificate until an authentication module requests one. In this case, the BIG-IP system initiates a mid-session SSL handshake, as though the option were set to Request. We recommend this setting only for those connections for which the presentation of a client certificate is not required.
Warning: If you are using the LDAP-based client authorization feature, use of the Request or Ignore options can sometimes cause a connection to terminate. For more information on LDAP-based client authorization, see Chapter 11, Authenticating Application Traffic Using a Remote Server.
Tip: The Request value works well with the header insertion feature. Configuring the SSL profile to insert client certificate information into an HTTP client request, and to authenticate clients based on the Request option, enables the BIG-IP system or a server to then perform actions such as redirecting the request to another server, sending different content back to the client, or performing client certificate or session ID persistence.
Require
Require a server to present a valid and trusted certificate before granting access.
Ignore
Ignore a certificate (or lack of one) and therefore never authenticate the server. The Ignore value is the default setting, and when used, causes any per-session authentication setting to be ignored. For information on configuring per-session authentication, see Configuring per-session authentication, following.
With the Frequency setting, you can configure an SSL profile to require authentication either once per SSL session (once), or once upon each subsequent re-use of an SSL session (always). The default setting for this option is once.
Whether you set this value to once or always depends on your application. A well-designed web application should only need to verify a certificate once per session. We recommend for performance reasons that you use the default setting (once) whenever possible.
You can modify the SSL profile to require authentication not only once per session, but also upon each subsequent re-use of an SSL session.
For client-side profiles only, if you intend to configure the SSL profile to require or request client certificates for authentication, you will want the profile to send to clients a list of CAs that the server is likely to trust. You can do this by configuring the Advertised Certificate Authorities setting.
This list, known as the Client Certificate CA file, is different from the client Trusted CAs file. This is because, in some cases, you might have a client that does not possess a valid client certificate, in which case you might not want to reveal the actual list of CAs that the profile trusts. The client certificate CA file solves this problem by allowing the profile to advertise a list of CAs that is different from the actual client trusted CAs file configured as part of certificate verification.
Tip: Although the contents of the Client Certificate CA file can differ from that of the Client Trusted CAs file, it is best, for compatibility reasons, to set the Client Certificate CA option to match the actual Client Trusted CAs file. This is because modern browsers might not permit SSL session negotiation to proceed if the peer that requests the client certificate does not provide a list of trusted CAs.
To configure the profile to send this list, you can specify a PEM-formatted certificate file that contains one or more CAs that a server trusts for client authentication. If no Client Certificate CA file is specified, no list of trusted CAs is sent to a client.
Note: The maximum size of native SSL handshake messages that the BIG-IP system allows is 14304 bytes. Consequently, if the SSL handshake is negotiating a native cipher and the total length of all messages in the handshake exceeds this byte threshold, the handshake can fail. Although typical use does not cause message length to exceed this threshold, we recommend that when configuring a Client SSL profile to request or require client certificates, you avoid specifying large numbers of certificates with the Advertised Certificate Authorities setting. This minimizes the number of certificates that must be exchanged during a Client SSL handshake.
Using the Certificate Chain Traversal Depth setting, you can configure the maximum number of certificates that can be traversed in the certificate chain. The default value is 9. If a longer chain is provided, and the client has not been authenticated within this number of traversals, client or server certificate verification fails. If the authentication depth value is set to zero, then only the client or server certificate, and one of the chain files, are examined.
For server-side profiles only, the BIG-IP system supports name-based authentication, which guards against man-in-the-middle attacks. When you configure the Authenticate Name setting for a server-side profile, the BIG-IP system checks the name against the Common Name (CN) listed in the certificate that the target server presents to the BIG-IP system. If the name attribute that you specify does not match the CN in the server certificate, the BIG-IP system closes the connection. An example of a CN is www.f5.com.
The Certificate Revocation List (CRL) setting allows the BIG-IP system to use CRLs to check revocation status of a certificate prior to authenticating a client or server.
To configure CRLs for an SSL profile, you must configure a CRL file, which contains a list of revoked client or server certificates. When specifying a list of revoked certificates, the file that you specify must be a PEM-formatted file.
Important: CRL files can become outdated, and might need to be updated as often as every day, or as seldom as every 30 days. If your CRL file is out-of-date, the BIG-IP system rejects all certificates, both valid and invalid. For this reason, it is important to keep your CRL files up-to-date at all times. You can do this by accessing the CRL in the /config/ssl/ssl.crl directory and then using the openssl crl command. For more information, see http://www.openssl.org/docs/.
As an alternative to using CRLs, you can use the Online Certificate Status Protocol (OCSP) feature, which ensures up-to-date information on certificate revocation status. For more information, see Chapter 11, Authenticating Application Traffic Using a Remote Server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)