SSL Offload with HTTP/2.0

Question

I need to configure SSL Offload with HTTP/2.0.

All the guidance I've read says we need to choose clientssl-secure as the client-ssl profile - but how does that work when you're terminating the TLS session? How do we configure a certificate on the client-side?

michael_saleem · Accepted Answer

The following article does give instructions to use the clientssl-secure profile:https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.html
However, this is just used an example. In reality, you would use clientssl-secure as a&nbsp;parent profile of a child clientssl profile (which has the cert / key / chain applied).
Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2
&nbsp;
Configuring HTTP/2 Client-Side (SSL Offload)
# Create HTTP/2 profile
create ltm profile http2 HTTP2 defaults-from http2

# Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled)
create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 }

# Create child client-ssl profile (inherit from parent client-ssl profile)
create ltm profile client-ssl CLIENTSSL-HTTP2-&lt;FQDN&gt; defaults-from CLIENTSSL-HTTP2 cert-key-chain add { &lt;FQDN&gt;-&lt;YEAR&gt; { cert &lt;FQDN&gt;-&lt;YEAR&gt;.crt key &lt;FQDN&gt;-&lt;YEAR&gt;.key chain &lt;INTERMEDIATE CA BUNDLE&gt;.crt } }

# Create pool
create ltm pool &lt;POOL NAME&gt; load-balancing-mode least-connections-member members add { &lt;IP&gt;:&lt;PORT&gt; } monitor &lt;MONITOR&gt;

# Create HTTP/2 virtual server
create ltm virtual &lt;VS NAME&gt; destination &lt;VIP&gt;:&lt;PORT&gt; profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-&lt;FQDN&gt; } pool &lt;POOL NAME&gt;

paulius · Answer

Under the virtual server you should have a setting labeled "SSL Profile (Client)" which is where you would associate your SSL cert and key of choice to the virtual server in question. Please keep in mind that if you use the "clientssl-secure" it will use an F5 self-signed SSL certificate so end users will receive an error on their side about either the name not matching or that you are using an SSL certificate that isn't from a trusted certificate authority.

boneyard · Answer

Where have you read that you NEED to choose clientssl-secure? I quickly checked a few articles and don't see it.

huw · Answer

Thanks Paulius - that makes sense, but why does all the documentation refer to clientssl-secure? I can't think of an situation where that would be useful.

Also - do I need to do anything differently on the client SSL profile than I would have done using HTTP/1.1?

huw · Answer

Maybe I'm not as good at searching as I thought! Please pass on any links you think might be useful, and I'll resume my own search.

huw · Answer

Here's the link I was using:https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configuration-14-1-0/01.html#guid-b39ab2c5-5295-47ed-99ca-3527eb076b7e"You do not need to create a Client SSL profile because a profile named clientssl-secure already exists on the system."

Forum Discussion

SSL Offload with HTTP/2.0

Configuring HTTP/2 Client-Side (SSL Offload)

6 Replies

Configuring HTTP/2 Client-Side (SSL Offload)

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

HTTP 2.0 changes everything

HTTP/2.0 Server-Side Traffic

Why think about HTTP 2.0?

Ready or not, HTTP 2.0 is here

HTTPS offload rewriting