Configuring client SSL profiles
A client SSL profile is used to manage the SSL session between the client and the proxy. It allows FortiADC to accept and terminate client requests sent via the SSL protocol. The Client SSL Profile page provides the settings for configuring client-side SSL connections, and displays all the client SSL profiles that have been configured on the system.
Before you begin creating a client SSL profile:
- You must have already created configuration objects for certificates, certificate caching, and certificate verify if you want to include them in the profile.
- You must have Read-Write permission for Load Balance settings.
To configure custom profiles:
- Go to Server Load Balance > Application Resources. Click the Client SSL Profile tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in Client SSL profile configuration guidelines.
- Save the configuration.
You can clone a predefined client SSL profile to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
Type | Profile Configuration Guidelines |
---|---|
Name |
Specify a unique name for the client SSL profile. |
Customized SSL Ciphers Flag |
Enable or disable the use of user-specified cipher suites. If enabled, you must specify a colon-separated, ordered list of a customized SSL cipher suites. See below. |
Customized SSL Ciphers |
Available only when the Customized SSL Cipher Flag is enabled (see above). Specify a colon-separated, ordered list of a customized SSL cipher suites. Note: FortiADC will use the default SSL cipher suite if the field is left empty. |
SSL Ciphers |
Ciphers are listed from strongest to weakest:
Note: We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support. |
Allowed SSL Versions |
You have the following options:
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
Client Certificate Verify |
Select the client certificate verify configuration object. |
Client Certificate Forward |
Disabled by default. When enabled, you must specify the client certificate forward header. See below. |
Client Certificate Forward Header |
When Client Certificate Forward is enabled (see above), specify the client certificate forward header. |
Forward Proxy |
By default, (SSL) Forward Proxy is disabled. When enabled, you'll have to configure additional settings noted below. |
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
Local Certificate Group |
Select a local certificate group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage certificates. |
Reject OCSP Stapling with Missing Nextupdate |
This flag is meaningful only when you have configured OCSP stapling in Local Certificate Group. By default, this option is disabled (unselected). In that case, FortiADC accepts all OCSP responses, including those in which the next update field is not set. If enabled, and the next update field is not set in an OCSP stapling response, FortiADC will not load this OCSP stapling response or present it to clients during the SSL/TLS handshake. |
Renegotiation |
Enable or disable SSL renegotiation from the client side. Note:
|
Renegotiation Interval |
Specify the minimum interval between two successive client-initiated SSL renegotiation requests. The unit of measurement can be second, minute, or hour, e.g., 100s, 20m, or 1h. Note:
|
SSL DH Parameter Size |
Specify the pubkey length in Diffie Hellman. Default is 1024. |
SSL Renegotiate Period |
Specify the period in second (default), minute, or hour at which FortiADC will initiate SSL renegotiation. Note: The default is 0, which disables the function. |
SSL Renegotiate Size |
Specify the amount (MB) of application data that must have been transmitted over the SSL connection whenFortiADC initiates SSL renegotiation. Note: The default is 0, which disables the function. |
Secure Renegotiation |
Select one of the following:
|
Dynamic record sizing |
Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments. Note: The feature is disabled by default. |
Note: The following fields become available only when Forward Proxy is enabled. | |
Forward Proxy Certificate Caching |
Select a Forward Proxy Certificate Caching rule. |
Forward Proxy Local Signing CA |
Select a Forward Proxy Local Signing CA. |
Forward Proxy Intermediate CA Group |
Select a Forward Proxy Intermediate CA Group. |
Backend SSL SNI Forward |
Disabled by default. Enable it to let FortiADC forward Server Name Indication (SNI) from the client to the back end. |
Backend Customized SSL Ciphers Flag |
Enabled by default. In this case, you must specify the backend customized SS ciphers. See below. |
Backend Customized SSL Ciphers |
Specify the customized SSL ciphers to be supported at the back end. |
Backend Allowed SSL Versions |
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |