Fortinet black logo

CLI Reference

config load-balance client-ssl-profile

config load-balance client-ssl-profile

Use this command to configure SSL-type real servers using the client-ssl-profile.

Note: This command is related to "config load-balance certificate-caching" on page 1.

Profile Description
LB_CLIENT_SSL_PROF_DEFAULT

This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_FORWARD_PROXY

This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_HTTP2

This profile applies to HTTP2 protocol only.

Recommended SSL version:

  • TLSv1.2
  • TLSv1.3

Syntax

config load-balance client-ssl-profile

edit <name>

set client-certificate-verify <verify_profile_name>

set client-sni-required {enable|disable}

set forward-proxy {enable|disable}

set local-certificate-group <local_certificate_group_name>

set ssl-allowed-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set ssl-ciphers <one or more ciphers>

set ssl-customize-ciphers-flag {enable|disable}

set forward-client-certificate {enable|disable}

set forward-client-certificate-header <customized_header_name>

set forward-proxy-certificate-caching <cache_name>

set forward-proxy-local-signing-CA <local_ca>

set forward-proxy-intermediate-ca-group <intermediate_ca>

set backend-ssl-OCSP-stapling-support {enable|disable}

set reject-ocsp-stapling-with-missing-nextupdate {enable|disable}

set reject-revoked-unknown-ocsp-stapling {enable|disable}

set ocsp-stapling-skew-time <integer>

set ssl-auto-chain-flag {enable|disable}

set client-certificate-verify-option {required|optional}

set ssl-session-cache-flag {enable|disable}

set use-tls-tickets {enable|disable}

set renegotiation {enable|disable}

set rfc7919-comply {enable|disable}

set supported-groups {secp256r1 secp384r1 secp521r1 x25519 x448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192}

set ssl-dynamic-record-sizing {enable|disable}

set ssl-dh-param-size {1024bit|2048bit|4096bit}

set ssl-auto-chain-flag {enable|disable}

next

end

client-certificate-verify

Specify a certificate validation policy.

Note: For VS configurations that reference a ZTNA Profile, ensure the corresponding EMS CA certificate is selected for the corresponding Client SSL profile.

client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
forward-proxy Enable/disable SSL forward proxy.
local-certificate-group

Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.

ssl-allowed-versions

Specify the allowed SSL versions in a space-separated list.

  • sslv3

  • tlsv1.0

  • tlsv1.1

  • tlsv1.2

  • tlsv1.3

Note:

  • FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. Please make sure that the SSL versions are continuous. IF not, an error message should be returned.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

ssl-ciphers

Specify the supported SSL ciphers in a space-separated list.

Ciphers are listed from strongest to weakest:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-CAMELLIA256-SHA384

  • *ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • *ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-CAMELLIA128-SHA256

  • *ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-CAMELLIA256-SHA384

  • *ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-GCM-SHA384
  • *DHE-RSA-AES256-SHA256
  • DHE-RSA-CAMELLIA256-SHA256

  • *DHE-RSA-AES256-SHA
  • DHE-RSA-CAMELLIA256-SHA

  • AES256-GCM-SHA384
  • *AES256-SHA256
  • *AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • *ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-CAMELLIA128-SHA256

  • *ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-GCM-SHA256
  • *DHE-RSA-AES128-SHA256
  • DHE-RSA-CAMELLIA128-SHA256

  • *DHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • *AES128-SHA256
  • *AES128-SHA
  • ECDHE-RSA-RC4-SHA
  • RC4-SHA
  • RC4-MD5
  • ECDHE-RSA-DES-CBC3-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • eNULL

*These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
backend-allow-ssl-versions Set the SSL version used to connect to the real server.

backend-ssl-OCSP-stapling-support

Enable or disable. Disabled by default.

Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

reject-ocsp-stapling-with-missing-nextupdate

Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

reject-revoked-unknown-ocsp-stapling

Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

ocsp-stapling-skew-time

The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

ssl-auto-chain-flag

Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.

client-certificate-verify-option

Choose either of the following:

  • required—If this option is set as required, then a client certificate is required for verification.
  • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
ssl-session-cache-flag

Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.

use-tls-tickets

Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.

renegotiation

Enable or disable SSL renegotiation from the client side.

Note: The feature is disabled by default.

rfc7919-comply

Enable/disable parameters to comply with RFC 7919.

Note:

  • RFC 7919 Comply is not supported for Forward Proxy. If rfc7919-comply is enabled and forward-proxy is enabled, the RFC 7919 Comply feature will not apply to Forward Proxy functionality.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

  • When rfc7919-comply is enabled the ssl-dh-param-size option becomes unavailable.

supported-groups

The supported-groups option is available if rfc7919-comply is enabled.

Specify the supported group objects from the following:

  • secp256r1

  • secp384r1

  • secp521r1

  • x25519

  • x448

  • ffdhe2048

  • ffdhe3072

  • ffdhe4096

  • ffdhe6144

  • ffdhe8192

At least one item from the FFDHE group must be selected.

Note:

The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

  • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

  • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

  • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).

ssl-dynamic-record-sizing

Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

Note: The feature is disabled by default.

ssl-dh-param-size

Specify the pubkey length in Diffie Hellman. Default is 1024.

Note: The ssl-dh-param-size option is not available when rfc7919-comply is enabled.

ssl-auto-chain-flag

Set it to disable to make ADC present only local certificates.

Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

Default is enable.

Example 1: Create a new client-SSL profile and quote it in virtual server configuration

Step 1: Configure a client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

unset backend-certificate-verify

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

Step 2: Quote the client SSL profile in virtual server configuration:

config load-balance virtual-server

edit "https_vS1"

set client-ssl-profile csp1

next

end

Example 2: Create a certificate-caching object and quote it in the client SSL profile

config load-balance certificate-caching

edit "1"

set max-certificate-cache-size 100M

set max-entries 10000

next

config load-balance client-ssl-profile

edit "test"

set forward-proxy-certificate-caching 1

set forward-proxy-local-signing-CA ca1

set forward-proxy-intermediate-ca-group inter_group

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag disable

set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

set backend-ssl-customize-ciphers-flag enable/disable

set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

set backend-allow-ssl-versions tlsv1.1 tlsv1.2

End

Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

set client-certificate-verify verify

set client-certificate-verify-option required

set ssl-session-cache-flag enable

set use-tls-tickets enable

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

config load-balance client-ssl-profile

Use this command to configure SSL-type real servers using the client-ssl-profile.

Note: This command is related to "config load-balance certificate-caching" on page 1.

Profile Description
LB_CLIENT_SSL_PROF_DEFAULT

This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_FORWARD_PROXY

This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_HTTP2

This profile applies to HTTP2 protocol only.

Recommended SSL version:

  • TLSv1.2
  • TLSv1.3

Syntax

config load-balance client-ssl-profile

edit <name>

set client-certificate-verify <verify_profile_name>

set client-sni-required {enable|disable}

set forward-proxy {enable|disable}

set local-certificate-group <local_certificate_group_name>

set ssl-allowed-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set ssl-ciphers <one or more ciphers>

set ssl-customize-ciphers-flag {enable|disable}

set forward-client-certificate {enable|disable}

set forward-client-certificate-header <customized_header_name>

set forward-proxy-certificate-caching <cache_name>

set forward-proxy-local-signing-CA <local_ca>

set forward-proxy-intermediate-ca-group <intermediate_ca>

set backend-ssl-OCSP-stapling-support {enable|disable}

set reject-ocsp-stapling-with-missing-nextupdate {enable|disable}

set reject-revoked-unknown-ocsp-stapling {enable|disable}

set ocsp-stapling-skew-time <integer>

set ssl-auto-chain-flag {enable|disable}

set client-certificate-verify-option {required|optional}

set ssl-session-cache-flag {enable|disable}

set use-tls-tickets {enable|disable}

set renegotiation {enable|disable}

set rfc7919-comply {enable|disable}

set supported-groups {secp256r1 secp384r1 secp521r1 x25519 x448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192}

set ssl-dynamic-record-sizing {enable|disable}

set ssl-dh-param-size {1024bit|2048bit|4096bit}

set ssl-auto-chain-flag {enable|disable}

next

end

client-certificate-verify

Specify a certificate validation policy.

Note: For VS configurations that reference a ZTNA Profile, ensure the corresponding EMS CA certificate is selected for the corresponding Client SSL profile.

client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
forward-proxy Enable/disable SSL forward proxy.
local-certificate-group

Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.

ssl-allowed-versions

Specify the allowed SSL versions in a space-separated list.

  • sslv3

  • tlsv1.0

  • tlsv1.1

  • tlsv1.2

  • tlsv1.3

Note:

  • FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. Please make sure that the SSL versions are continuous. IF not, an error message should be returned.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

ssl-ciphers

Specify the supported SSL ciphers in a space-separated list.

Ciphers are listed from strongest to weakest:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-CAMELLIA256-SHA384

  • *ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • *ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-CAMELLIA128-SHA256

  • *ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • ECDHE-ECDSA-RC4-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-CAMELLIA256-SHA384

  • *ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-GCM-SHA384
  • *DHE-RSA-AES256-SHA256
  • DHE-RSA-CAMELLIA256-SHA256

  • *DHE-RSA-AES256-SHA
  • DHE-RSA-CAMELLIA256-SHA

  • AES256-GCM-SHA384
  • *AES256-SHA256
  • *AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • *ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-CAMELLIA128-SHA256

  • *ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-GCM-SHA256
  • *DHE-RSA-AES128-SHA256
  • DHE-RSA-CAMELLIA128-SHA256

  • *DHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • *AES128-SHA256
  • *AES128-SHA
  • ECDHE-RSA-RC4-SHA
  • RC4-SHA
  • RC4-MD5
  • ECDHE-RSA-DES-CBC3-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • eNULL

*These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
backend-allow-ssl-versions Set the SSL version used to connect to the real server.

backend-ssl-OCSP-stapling-support

Enable or disable. Disabled by default.

Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

reject-ocsp-stapling-with-missing-nextupdate

Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

reject-revoked-unknown-ocsp-stapling

Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

ocsp-stapling-skew-time

The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

ssl-auto-chain-flag

Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.

client-certificate-verify-option

Choose either of the following:

  • required—If this option is set as required, then a client certificate is required for verification.
  • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
ssl-session-cache-flag

Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.

use-tls-tickets

Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.

renegotiation

Enable or disable SSL renegotiation from the client side.

Note: The feature is disabled by default.

rfc7919-comply

Enable/disable parameters to comply with RFC 7919.

Note:

  • RFC 7919 Comply is not supported for Forward Proxy. If rfc7919-comply is enabled and forward-proxy is enabled, the RFC 7919 Comply feature will not apply to Forward Proxy functionality.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

  • When rfc7919-comply is enabled the ssl-dh-param-size option becomes unavailable.

supported-groups

The supported-groups option is available if rfc7919-comply is enabled.

Specify the supported group objects from the following:

  • secp256r1

  • secp384r1

  • secp521r1

  • x25519

  • x448

  • ffdhe2048

  • ffdhe3072

  • ffdhe4096

  • ffdhe6144

  • ffdhe8192

At least one item from the FFDHE group must be selected.

Note:

The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

  • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

  • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

  • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).

ssl-dynamic-record-sizing

Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

Note: The feature is disabled by default.

ssl-dh-param-size

Specify the pubkey length in Diffie Hellman. Default is 1024.

Note: The ssl-dh-param-size option is not available when rfc7919-comply is enabled.

ssl-auto-chain-flag

Set it to disable to make ADC present only local certificates.

Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

Default is enable.

Example 1: Create a new client-SSL profile and quote it in virtual server configuration

Step 1: Configure a client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

unset backend-certificate-verify

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

Step 2: Quote the client SSL profile in virtual server configuration:

config load-balance virtual-server

edit "https_vS1"

set client-ssl-profile csp1

next

end

Example 2: Create a certificate-caching object and quote it in the client SSL profile

config load-balance certificate-caching

edit "1"

set max-certificate-cache-size 100M

set max-entries 10000

next

config load-balance client-ssl-profile

edit "test"

set forward-proxy-certificate-caching 1

set forward-proxy-local-signing-CA ca1

set forward-proxy-intermediate-ca-group inter_group

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag disable

set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

set backend-ssl-customize-ciphers-flag enable/disable

set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

set backend-allow-ssl-versions tlsv1.1 tlsv1.2

End

Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

set client-certificate-verify verify

set client-certificate-verify-option required

set ssl-session-cache-flag enable

set use-tls-tickets enable

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next