Configuring Client SSL profiles
A Client SSL profile is used to manage the SSL session between the client and the proxy. It allows FortiADC to accept and terminate client requests sent via the SSL protocol. The Client SSL Profile page provides the settings for configuring client-side SSL connections, and displays all the client SSL profiles that have been configured on the system.
Before you begin:
- You must have already created configuration objects for certificates, certificate caching, and certificate verify if you want to include them in the profile.
- You must have Read-Write permission for Load Balance settings.
To configure custom profiles:
- Go to Server Load Balance > Application Resources.
- Click the Client SSL Profile tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in Client SSL profile configuration guidelines.
- Save the configuration.
|
You can clone a predefined client SSL profile to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon |
that appears in the tools column on the configuration summary page.| Type | Profile Configuration Guidelines |
|---|---|
|
Name |
Specify a unique name for the client SSL profile. |
|
Customized SSL Ciphers Flag |
Enable or disable the use of user-specified cipher suites. If enabled, you must specify a colon-separated, ordered list of a customized SSL cipher suites. See below. |
|
Customized SSL Ciphers |
Available only when the Customized SSL Cipher Flag is enabled (see above). Specify a colon-separated, ordered list of a customized SSL cipher suites. Note: FortiADC will use the default SSL cipher suite if the field is left empty. |
|
SSL Ciphers |
Ciphers are listed from strongest to weakest:
*These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F). Note: We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support. |
|
TLSv1.3 Cipher Suite List |
TLSv1.3 ciphers are listed as following:
Note: This option only available if the TLSv1.3 is checked. |
|
Allowed SSL Versions |
You have the following options:
We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note:
|
|
Client Certificate Verify |
Select the client certificate verify configuration object. Note: For VS configurations that reference a ZTNA Profile, ensure the corresponding EMS CA certificate is selected for the corresponding Client SSL profile. |
|
Client Certificate Verify Mode |
The Client Certificate Verify Mode option is available if the Client Certificate Verify is selected. Select one of the following:
|
|
SSL Session Cache Flag |
Allows to the same SSL client attempts to reconnect to this SSL server and requests a resumption of a previous SSL session. Note: This feature doesn’t support TLSv1.3 |
|
Use TLS Tickets |
Allows resuming TLS sessions by storing key material encrypted on the clients. Note: This feature doesn’t support TLSv1.3 |
|
Client Certificate Forward |
The Client Certificate Forward option is available if the Client Certificate Verify is selected. Disabled by default. When enabled, you must specify the client certificate forward header. |
|
Client Certificate Forward Header |
The Client Certificate Forward Header option is available if the Client Certificate Verify is selected and Client Certificate Forward is enabled. Specify the client certificate forward header. |
|
Forward Proxy |
By default, (SSL) Forward Proxy is disabled. When enabled, you'll have to configure additional settings noted below. Note: RFC 7919 Comply is not supported for Forward Proxy. If RFC 7919 Comply is enabled and Forward Proxy is enabled, the RFC 7919 Comply feature will not apply to Forward Proxy functionality. |
|
Client SNI Required |
Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client. |
|
Local Certificate Group |
Select a local certificate group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage Certificates. |
|
Reject OCSP Stapling with Missing Nextupdate |
This flag is meaningful only when you have configured OCSP stapling in Local Certificate Group. By default, this option is disabled (unselected). In that case, FortiADC accepts all OCSP responses, including those in which the next update field is not set. If enabled, and the next update field is not set in an OCSP stapling response, FortiADC will not load this OCSP stapling response or present it to clients during the SSL/TLS handshake. |
| Renegotiation |
Enable or disable SSL renegotiation from the client side. Note:
|
| Renegotiation Interval |
Specify the minimum interval between two successive client-initiated SSL renegotiation requests. The unit of measurement can be second, minute, or hour, e.g., 100s, 20m, or 1h. Note:
|
| SSL DH Parameter Size |
Specify the pubkey length in Diffie Hellman. Default is 1024. Note: The SSL DH Parameter Size option is not available when RFC 7919 Comply is enabled. |
| SSL Renegotiate Period |
Specify the period in second (default), minute, or hour at which FortiADC will initiate SSL renegotiation. Note: The default is 0, which disables the function. |
| SSL Renegotiate Size |
Specify the amount (MB) of application data that must have been transmitted over the SSL connection whenFortiADC initiates SSL renegotiation. Note: The default is 0, which disables the function. |
| Secure Renegotiation |
Select one of the following:
|
|
RFC 7919 Comply |
Enable/disable parameters to comply with RFC 7919. Note:
|
|
Supported Groups |
The Supported Groups option is available if RFC 7919 Comply is enabled. Specify the supported group objects from the following:
At least one item from the FFDHE group must be selected. Note: The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.
|
| Dynamic record sizing |
Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments. Note: The feature is disabled by default. |
|
Forward Proxy Certificate Caching |
The Forward Proxy Certificate Caching option is available if Forward Proxy is enabled. Select a Forward Proxy Certificate Caching rule. |
|
Forward Proxy Local Signing CA |
The Forward Proxy Local Signing CA option is available if Forward Proxy is enabled. Select a Forward Proxy Local Signing CA. |
|
Forward Proxy Intermediate CA Group |
The Forward Proxy Intermediate CA Group option is available if Forward Proxy is enabled. Select a Forward Proxy Intermediate CA Group. |
|
Forward Proxy Resign Cert by SNI |
The Forward Proxy Resign Cert by SNI option is available if Forward Proxy is enabled. Enabled by default, the Forward Proxy Resign Cert by SNI option allows SSL Forward Proxy to return re-signed local certificates with modified CN (or SAN) matching the ClientHello Server Server Name Indication (SNI). This allows the proxy to act automatically when the SNI is detected in the ClientHello message to return a re-signed local certificate to the client. The Common Name (CN) and/or Subject Alternative Name (SAN) of this certificate will be adeptly modified to align with the SNI, ensuring a seamless and trustworthy SSL handshake process. Note: This function is supported HTTP/S virtual servers and real server pools with HTTP/S topology. |
|
Backend SSL SNI Forward |
The Backend SSL SNI Forward option is available if Forward Proxy is enabled. Disabled by default. Enable it to let FortiADC forward Server Name Indication (SNI) from the client to the back end. |
|
Backend Customized SSL Ciphers Flag |
The Backend Customized SSL Ciphers Flag option is available if Forward Proxy is enabled. Enabled by default. In this case, you must specify the backend customized SS ciphers. See below. |
|
Backend Customized SSL Ciphers |
The Backend Customized SSL Ciphers option is available if Forward Proxy and Backend Customized SSL Ciphers Flag are enabled. Specify the customized SSL ciphers to be supported at the back end. |
|
Backend SSL Cipher Suite List |
The Backend SSL Cipher Suite List option is available if Forward Proxy is enabled and Backend Customized SSL Ciphers Flag is disabled. Select the cipher from the list to be supported at the back end. |
|
Backend TLSv1.3 Cipher Suite List |
The Backend TLSv1.3 Cipher Suite List option is available if Forward Proxy is enabled and Backend Allowed SSL Versions selected TLSv1.3. TLSv1.3 ciphers are listed as following: TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Note: This option only available if the backendTLSv1.3 is checked. |
|
Backend Allowed SSL Versions |
The Backend Allowed SSL Versions option is available if Forward Proxy is enabled. We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. |
|
Backend SSL OCSP Stapling Support |
The Backend SSL OCSP Stapling Support option is available if Forward Proxy is enabled. Disabled by default. Enable it to let FortiADC support OCSP stapling at the backend. |