SSL Security
About
SSL Security Profiles are used on the TR7 ASP device to set and limit the parameters of the SSL connection on the client side during SSL termination.
How to Add?
To add a new SSL Security Profile, follow the steps "Certificate > SSL Security > Add" on the TR7 ASP web interface.
Interface
SSL Security Profiles Listing Screen
By following "Certificate > SSL Security" you can access a list of all SSL Security Profiles on the TR7 ASP device. On this screen, SSL Security Profiles can be added, edited and deleted.
- 1 (Information to be Displayed in the Table)
Select which information to display in the table listing the SSL Security Profiles.
The selectable and default information includes;
- Security Profile Name
- Min. SSL Version
- Cipher Algorithms
- SSL Hardware Acceleration
- Max. SSL Version
- Curve/ECDHE
- 2 (Add)
Click the Add button to open a form for creating a new SSL Security Profile.
- 3 (Delete)
One or more SSL Security Profiles can be selected and deleted by clicking the Delete button.
- 4 (Edit)
Click the Edit button to open the editing screen for the relevant SSL Security Profile.
- 5 (Search)
Used to search for all expressions in the table.
- 6 (RegExp Search)
Used to regexp search for all expressions in the table.
- 7 (Column Based Search)
Used to column based search for all expressions in the table.
- 8 (Usage Filter)
Used to filter which vServices all expressions in the table are used in.
- 9 (Page Information)
Information about how many SSL Security Profiles are listed and how many are in the opened list. When SSL Security Profiles are selected on the left side for deletion, the information about the selected SSL Security Profile is also displayed here.
- 10 (Page Size)
Select how many SSL Security Profiles will be listed in the opened list. You can switch between pages using arrow symbols.
- Preview of the Selected Profile
After following "Certificate > SSL Security" clicking on any profile opens a window on the right side of the screen with information about the relevant profile.
This window also provides information about "Used In". For instance, the "TLS Only 1.3" SSL Security profile is used in the "test.tr7.com" vService.
The preview can be closed by clicking the (x) button at the top right of the opened window.
Interface
SSL Security Profile Adding Screen
To add a new SSL Security Profile, follow "Certificate > SSL Security > Add" on the TR7 ASP web interface.
- Security Profile Name
Enter a name for the new SSL Security Profile.
- Min. SSL Version
Activate to select the minimum SSL version that can be connected from the client side.
Min. SSL Version is Disabled.
The list of SSL versions supported on the TR7 ASP device is given in the table below.
o Complete List of SSL Versions Supported by TR7
| SSL Versions |
|---|
| SSLv3 |
| TLSv1.0 |
| TLSv1.1 |
| TLSv1.2 |
| TLSv1.3 |
- Max. SSL Version
Activate to select the maximum SSL version that can be connected from the client side.
Max. SSL Version is Disabled.
The list of SSL versions supported on the TR7 ASP device is given in the table below.
o Complete List of SSL Versions Supported by TR7
| SSL Versions |
|---|
| SSLv3 |
| TLSv1.0 |
| TLSv1.1 |
| TLSv1.2 |
| TLSv1.3 |
- Cipher Algorithms
Select the ciphers that browsers and clients can use in requests coming to the vService.
Importing and exporting ciphers also possible with Import ciphers and Export ciphers buttons.
Only hardware-supported ciphers are allowed.
Allows only secure ciphers.
It only allows ciphers that are compatible with TLS v1.3.
Only allows old client supported ciphers.
Allows commonly (generally) used ciphers.
Allows ciphers selected from the drop-down list.
- Curve/ECDHE
Activate to select the Elliptic Curve algorithms or selections for the client-side connection.
Curve/ECDHE is Disabled.
o Complete List of Elliptic Curve Algorithms Supported by TR7
| Elliptic Curve Algorithms |
|---|
| X25519 (TLS v1.3 Only) |
| X442 (TLV v1.3 Only) |
| brainpoolP512r1 |
| brainpoolP384r1 |
| brainpoolP256r1 |
| secp521r1 |
| secp384r1 |
| secp256r1 |
| secp256k1 |
| secp224r1 |
| secp224k1 |
| secp192r1 |
- Restart Undefined TLS Requests
Activate to force the restart of requests without status information.
Restart Undefined TLS Requests is Disabled.
- SSL Hardware Acceleration
Used to activate SSL-based hardware acceleration on TR7 ASP devices. When SSL acceleration is activated, the contracted Intel processor SDKs on the TR7 ASP devices engage, using the device's hardware to deliver significantly higher SSL performance. This setting can also be used in virtual TR7 devices with Intel-supported processors.
SSL Hardware Acceleration is Disabled.
When deployed on Virtual TR7 (VM) devices, the hardware information of the host device on which TR7 runs is checked to see if it is suitable for hardware-based SSL acceleration.
Since physical TR7 ASP devices are currently compatible with hardware-based SSL acceleration, no warning will occur.
- Add
Click the Add button to add the SSL Security Profile.
Interface
How to Add an SSL Security Profile to the vService?
Step > 1
First, navigate through "Settings Mod > vServices" on the TR7 web interface.
Step > 2
On the resulting screen, right-click the vService to which the SSL Security Profile will be added and select Edit or click on the relevant vService and follow "Actions > Edit" from the pane that opens on the right to reach the same window.
Step > 3
In the vService's editing screen, "Details > SSL Security" is selected to activate SSL Security. The Default Security Profile can be used when it is first activated.
Warning
To activate SSL Security in the vService, SSL status must be selected as Terminate or HTTP/2.0 for any IP:Port.
Step > 4
To use a previously added profile other than the Default Security Profile or to add a new profile, click the arrow next to the profile. Selections can be made from existing profiles.
Click the Add button to add a new SSL Security Profile to the vService screen.
Step > 5
Click the Save button to save the changes and wait for the reconfiguration of the vService.