SSL Encryption
A pool can perform SSL encryption before it sends traffic to a back-end SSL server. When enabled, SSL encryption can use additional CPU resources on the Traffic Managers that perform the encryption.
To enable SSL encryption for a pool, go to Pools > Edit > SSL Settings.
You can configure the following options:
Setting |
Description |
ssl_encrypt |
Set to “Yes” to enable SSL encryption to the back-end nodes. |
ssl_send_close_alerts |
Set to “Yes” to send an SSL/TLS "close alert" when initiating a socket disconnection. |
ssl_support_<version> |
Set to “Enabled” to allow this pool to use the designated version of SSL or TLS for connections to back-end nodes. Choose Use the global setting to force the Traffic Manager to use instead the equivalent global value set in System > Global Settings > SSL Configuration. |
ssl_cipher_suites |
Specify the list of ciphers available for secure communications to back-end nodes. Use a space-, comma-, or colon-separated list (in order of preference). Leave the list blank to force the Traffic Manager to use instead the equivalent global value set in System > Global Settings > SSL Configuration. |
ssl_client_auth |
If the back-end server requires client certificate authentication, enable this setting to configure the Traffic Manager to select an appropriate certificate from its local Client Certificates catalog. To configure your Traffic Manager with client certificates, see Catalogs > SSL Catalogs > SSL Client Certificates catalog. The server sends to the client a list of Certificate Authorities that it trusts, and by default the Traffic Manager chooses the first client certificate it finds that is signed by one of the server's trusted CAs. To explicitly control which certificate is used, set "ssl_fixed_client_certificate". If a server sends an empty list of CAs, the Traffic Manager does not choose a client certificate unless "ssl_fixed_client_certificate" is set. |
ssl_fixed_client_certificate |
The name of an entry in the SSL Client Certificates catalog, used by the Traffic Manager whenever a server in this pool requests a client certificate. In this case, any list of trusted CAs in the request is ignored. This setting is applicable only if "ssl_client_auth" is enabled. |
ssl_server_name |
Set to “Yes” to cause the Traffic Manager to try the TLS 1.0 "server_name" extension, which can help the back-end node to provide the correct certificate. If you enable this setting, the Traffic Manager is forced to use at least TLS 1.0. |
ssl_strict_verify |
As a protection against man-in-the-middle attacks and server spoofing, the Traffic Manager can validate the SSL certificates used by back-end servers against the CA's in the catalog. Set to “Yes” to instruct the Traffic Manager to reject connections to servers if their certificates have expired, or if the certificate's Common Name does not match the node's IP address, hostname, or one of the names listed in "ssl_common_name_match", or if a CA in the catalog has not signed it. |
ssl_common_name_match |
A list of hostnames or IP addresses that the Traffic Manager accepts as Common Name in the certificate presented by the server. |
Click Update to save your changes.