Manual Chapter : Create a custom Server SSL profile

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0

BIG-IP AFM

  • 14.1.0

BIG-IP Analytics

  • 14.1.0

BIG-IP PEM

  • 14.1.0

BIG-IP ASM

  • 14.1.0

BIG-IP AAM

  • 14.1.0

BIG-IP Link Controller

  • 14.1.0

BIG-IP APM

  • 14.1.0

BIG-IP LTM

  • 14.1.0
Manual Chapter

Create a custom Server SSL profile

With a Server SSL profile, the BIG-IP® system can perform decryption and encryption for server-side SSL traffic.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select serverssl.
  5. From the Configuration list, select Advanced.
  6. Select the Custom check box.
    The settings become available for change.
  7. From the Certificate list, select the name of an SSL certificate on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  8. From the Key list, select the name of an SSL key on the BIG-IP system.
    Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
  9. In the Pass Phrase field, type a pass phrase that enables access to the certificate/key pair on the BIG-IP system.
  10. From the Chain list, select the name of an SSL chain on the BIG-IP system.
  11. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  12. Configure any other settings as needed.
  13. Click Finished.
After performing this task, you can see the custom Server SSL profile in the list of Server SSL profiles on the system.
Note: By default, TLSv1.3 is disabled in this configuration.
To use this profile, you must assign it to a virtual server. See the Assigning SSL profiles to a virtual server section for detailed information.