SSL Profile in BIG-IP LTM

The SSL Profile in BIG-IP LTM (Local Traffic Manager) is used to manage the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) settings for securing traffic between clients and servers. The profile includes configurations for certificate management, encryption algorithms, client authentication, and more. Below are the key features and configurations associated with an SSL Profile:

Key Features of SSL Profile

1. Certificate Management

   • When the SSL Certificate or Key is updated in an SSL profile, existing active connections will continue to use the old SSL certificate until the connection is either completed, terminated, or re-negotiated (i.e., a new session is initiated), or the Traffic Management Microkernel (TMM) is restarted.

   • This behavior ensures that active sessions are not disrupted by changes to the SSL certificate in the middle of a connection.

2. SSL Certificate Verification

   • SSL certificate verification includes four key checks to ensure the validity of an SSL certificate. If any of these checks fail, the certificate is considered invalid:

     1. Digital Signature (DS) Check: Verifies that the certificate’s digital signature is valid.

     2. Certificate Chain Check: Verifies that the certificate chain is complete and the CA (Certificate Authority) signature is valid.

     3. Expiration Date & Validity Period Check: Ensures that the certificate is within its valid date range.

     4. Certificate Revocation Check: Confirms that the certificate has not been revoked, typically by checking the CRL (Certificate Revocation List) or through OCSP (Online Certificate Status Protocol).

3. Client Certificate Authentication

   • Ignore (Default): The system ignores any client certificate presented and does not authenticate the client.

   • Require: Forces client authentication, meaning the client must present a valid certificate that the server trusts.

   • Request: Client authentication is optional, and if used, typically with an iRule, the server can request a client certificate but does not enforce it.

   • Configuration Considerations:

     • If Require or Request is selected, Trusted Certificate Authorities (CAs) must be configured (they cannot be set to "None").

     • Similarly, the Advertised Certificate Authorities list must also be specified (again, cannot be "None").

4. Client Certificate Authentication Frequency

   • Once (Default): The system authenticates the client certificate only once during the SSL session handshake.

   • Always: The system authenticates the client every time the SSL session is reused. This is more secure but can add overhead.

5. Trusted Certificate Authorities (CA)

   • The list of trusted certificate authorities includes all SSL certificates installed on the BIG-IP system, located in the /config/ssl/ssl.crt directory.

   • If the system needs to validate certificates against a CRL (Certificate Revocation List), you must upload the CRL to the /config/ssl/ssl.crl directory.

6. CRL and OCSP

   • CRL (Certificate Revocation List): Lists certificates that have been revoked before their expiration date. CRLs can become outdated quickly, so it's recommended to use OCSP (Online Certificate Status Protocol) or CRLDP (CRL Distribution Points) profiles for more up-to-date and efficient certificate status verification.

7. Advertised Certificate Authorities

   • The Advertised Certificate Authorities setting specifies the CAs that the BIG-IP advertises as trusted when requesting a client certificate for authentication during the SSL handshake. This list must be carefully managed to avoid issues during client authentication.

8. SSL Handshake Message Size Limit

   • The maximum size allowed for native SSL handshake messages in BIG-IP is 14,304 bytes. Using a large list of advertised CAs or client certificates could lead to an SSL handshake failure due to exceeding this size limit.

SSL Profile Configuration Considerations

1. Key and Certificate Changes:

   • Active Connections: When the key or certificate is changed in an SSL profile, existing active SSL connections will not immediately use the new certificate. They will continue with the old certificate until they are re-negotiated or completed.

   • For uninterrupted service, the system needs to complete the active sessions or restart the TMM for changes to take effect across all connections.

2. Client Certificate Authentication:

   • Configuring client certificate authentication is important when securing communication with trusted clients. If you choose to require or request a client certificate, ensure that the Trusted Certificate Authorities list and the Advertised Certificate Authorities are both populated to avoid any authentication failures.

   • The frequency of client authentication can be set to either Once or Always, depending on your security requirements.

3. Revocation Checking:

   • The revocation status of certificates can be checked using CRL, OCSP, or CRLDP. It is crucial to configure these settings to avoid trusting a revoked certificate.

   • For a more dynamic and real-time solution, OCSP is generally preferred over using static CRLs.

4. SSL Handshake Size Limitations:

   • Large lists of Advertised Certificate Authorities can lead to issues if the SSL handshake message size exceeds the maximum allowed size of 14,304 bytes. This could result in handshake failures.

Summary of SSL Profile Key Settings