Product Documentation

Configuring Advanced SSL Settings

Sep 01, 2016
Advanced customization of your SSL configuration addresses specific issues. You can use the set ssl parameter command or the configuration utility to specify the following:
  • Quantum size to be used for SSL transactions.
  • CRL memory size.
  • OCSP cache size.
  • Deny SSL renegotiation.
  • Set the PUSH flag for decrypted, encrypted, or all records.
  • Drop requests if the client initiates the handshake for one domain and sends an HTTP request for another domain.
  • Set the time after which encryption is triggered.
    Note: The time that you specify applies only if you use the set ssl vserver command or the configuration utility to set timer-based encryption.

To configure advanced SSL settings by using the command line interface

At the command prompt, type the following commands to configure advanced SSL settings and verify the configuration:

  • set ssl parameter [-quantumSize <quantumSize>] [-crlMemorySizeMB <positive_integer>] [-strictCAChecks (YES | NO)] [-sslTriggerTimeout <positive_integer>] [-sendCloseNotify (YES | NO)] [-encryptTriggerPktCount <positive_integer>] [-denySSLReneg <denySSLReneg>] [-insertionEncoding (Unicode|UTF-8)] [-ocspCacheSize <positive_integer>][- pushFlag <positive_integer>] [- dropReqWithNoHostHeader (YES | NO)] [-pushEncTriggerTimeout <positive_integer>]
  • show ssl parameter

Example

 
> set ssl parameter -quantumSize 8 -crlMemorySizeMB 256 -strictCAChecks no -sslt 
iggerTimeout 100 -sendClosenotify no -encryptTriggerPktCount 45 -denySSLReneg no 
-insertionEncoding unicode -ocspCacheSize 10 -pushFlag 3 -dropReqWithNoHostHeader YES  -pushEncTriggerTimeout 100 ms 
 Done 
 
> show ssl parameter 
Advanced SSL Parameters 
----------------------- 
        SSL quantum size:               8 kB 
        Max CRL memory size:            256 MB 
        Strict CA checks:               NO 
        Encryption trigger timeout      100 mS 
        Send Close-Notify               NO 
        Encryption trigger packet count:        45 
        Deny SSL Renegotiation          NO 
        Subject/Issuer Name Insertion Format:   Unicode 
        OCSP cache size:        10 MB 
	       Push flag:      0x3 (On every decrypted and encrypted record) 
								Strict Host Header check for SNI enabled SSL sessions:          YES 
								 PUSH encryption trigger timeout 100 ms 
 Done

To configure advanced SSL settings by using the configuration utility

Navigate to Traffic Management > SSL and, in the Settings group, select Change advanced SSL settings.

PUSH Flag-Based Encryption Trigger Mechanism

The encryption trigger mechanism that is based on the PSH TCP flag now enables you to do the following:

  • Merge consecutive packets in which the PSH flag is set into a single SSL record, or ignore the PSH flag.
  • Perform timer-based encryption, in which the time-out value is set globally by using the set ssl parameter -pushEncTriggerTimeout <positive_integer> command.

To configure PUSH flag-based encryption by using the command line interface

At the command prompt, type the following commands to configure PUSH flag-based encryption and verify the configuration:

  • set ssl vserver <vServerName> [-pushEncTrigger <pushEncTrigger>]
  • show ssl vserver

Example

 
Advanced SSL configuration for VServer v1: 
                DH: DISABLED 
                Ephemeral RSA: ENABLED                            Refresh Count: 0 
                Session Reuse: ENABLED                              Timeout: 120 seconds 
                Cipher Redirect: DISABLED 
                SSLv2 Redirect: DISABLED 
                ClearText Port: 0 
                Client Auth: DISABLED 
                SSL Redirect: DISABLED 
                Non FIPS Ciphers: DISABLED 
                SNI: DISABLED 
                SSLv2: DISABLED               SSLv3: ENABLED                TLSv1: ENABLED 
                Push Encryption Trigger: Always 

To configure PUSH flag-based encryption by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual servers and open an SSL virtual server.
  2. In the SSL Parameters section, from the PUSH Encryption Trigger list, select a value.