SSL Configuration

When configuring the SSL Configuration screen, you can set up or manage your forward proxy (for outbound traffic) or reverse proxy (for inbound traffic) scenarios by creating a new SSL profile or selecting an existing SSL profile you have previously created. In addition, you can attach multiple SSL profiles to the same virtual for both inbound and outbound topologies. You can also switch SSL profile based on ClientHello SNI matches. For this, specify the server name used for SNI communications and select the

Default SNI

checkbox in the SSL profile that the system should consider as the default profile. You can only use one such SSL Configuration in a Topology.

You can set up and manage client and server cipher types (group or string) and select certificate, key, and chain configuration details required to process SSL traffic.

For outbound scenarios, click

Show Advanced Setting

to enable or disable SSL forward proxy bypass when receiving a handshake failure, protocol version, or unsupported extension alert message during the server-side SSL handshake, so the SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption.

You can enable or disable SSL forward proxy bypass when failing to get a client certificate (that the server asks for), so the SSL traffic bypasses the BIG-IP system untouched, without decryption/encryption.

You can also control whether SSL Orchestrator should ignore/drop untrusted/expired server certificates for outbound and inbound scenarios. Additionally, you can specify an OCSP responder or a CRL file to validate server certificates.