SSL profiles
You can use an SSL profile to specify how a NetScaler appliance processes SSL traffic. A profile is a collection of SSL parameter settings for SSL entities, such as virtual servers, services, and service groups, and offers ease of configuration and flexibility. You are not limited to configuring only one set of global parameters.
You can create multiple sets (profiles) of global parameters and assign different sets to different SSL entities. SSL profiles are classified into two categories:
- Front-end profiles: Contain parameters applicable to the front-end entity (entity that receives requests from a client).
- Back-end profiles: Contain parameters applicable to the back-end entity (entity that sends client requests to a server).
Unlike a TCP or HTTP profile, an SSL profile is optional. Once SSL profiles are enabled, all the SSL endpoints inherit the default profiles. The same profile can be reused across multiples entities. If an entity does not have a profile attached, the values set at the global level apply. For dynamically learned services, current global values apply.
Compared to the alternate way that requires configuration of SSL parameters, ciphers, and ECC curves on individual SSL endpoints, SSL profiles on the NetScaler appliance simplify configuration management by acting as a single point of SSL configuration for all related endpoints. Using SSL profiles, you can resolve configuration issues related to cipher reordering and downtime when ciphers are reordered.
SSL profiles help in setting required SSL parameters and cipher bindings on those SSL endpoints on which traditionally one cannot set these parameters and bindings. SSL profiles can also be set on secure monitors.
The SSL profile infrastructure has been enhanced to use the latest ciphers and protocols. Differences between the legacy profile (old profile) and the enhanced SSL profile (new profile) are highlighted.
Differences between the old and the new SSL profile infrastructure
Differences | Old Profile | New Profile |
---|---|---|
Ciphers and ECC Curves included in the profile | No | Yes |
Inserting a cipher or cipher group in the middle of an existing list | Unbind all the ciphers and bind again in the order of the required priority. | Add a cipher and assign it a priority. If a priority is not specified, the cipher is assigned the lowest priority in the list. |
Unbinding all the ciphers | unbind ssl vserver <name> ciphername –ALL |
unbind ssl profile –cipherName FlushAllCiphers (Release 12.1 and later include the FlushAllCiphers parameter for unbinding all the ciphers or cipher groups from a profile, because ALL is treated like a cipher group.) |
State of SSLv3 | n/a | Disabled on the default front-end profile (ns_default_ssl_profile_frontend). Note: Before you enable this profile, SSLv3 is enabled globally. After you enable the profile, SSLv3 is disabled on the front-end default profile. |