UI Fields

• SSL/TLS Name: Specify a unique name for the SSL/ TLS profile.

• Type: Choose Application if the profile is to be associated with a virtual service, System if the profile is to be associated with the Controller.

• Ciphers: Ciphers may be chosen from the default List view or a String. The String view is for compatibility with OpenSSL-formatted cipher strings. When using String view, Avi Load Balancer does not provide an SSL rating, nor a score for the selected ciphers.

• SSL Rating: This is a simple rollup of the security, compatibility, and performance of the ciphers chosen from the list. Often ciphers may have great performance but very low security. The SSL rating attempts to provide some insight into the outcome of the selected ciphers. Avi Load Balancer Networks may change the score of certain ciphers from time to time, as new vulnerabilities are discovered. This does not impact or change an existing Avi Load Balancer deployment, but it does mean the score for the profile, and potentially the security penalty of a virtual service, may change to reflect the new information.

• Version: Avi Load Balancer supports versions SSL 3.0, TLS 1.0 and newer. The older SSL 2.0 protocol is no longer supported. TLS 1.3 protocol is supported. Users must select one or more of the three supported TLS 1.3 ciphers in the list of ciphers or configure them in the Ciphersuites option under the String view.

• Send “close notify” alert: Gracefully inform the client of the closure of an SSL session. This is similar to TCP doing a FIN/ACK rather than an RST.

• Prefer client cipher ordering: Off by default, set this to On if you prefer the client’s ordering.

• Enable SSL Session Reuse: On by default, this option persists a client’s SSL session across TCP connections after the first occurs.

• SSL Session Expiration: Set the length of time in seconds before an SSL session expires.

• Ciphers: When negotiating ciphers with the client, Avi Load Balancer will give preference to ciphers in the order listed. The default cipher list prioritizes elliptic curve with PFS, followed by less secure, non-PFS and slow RSA-based ciphers. Enable, deactivate, and reorder the ciphers through the List view. In the String view, manually enter the cipher strings through the OpenSSL format, which is documented on the OpenSSl.org website. You may use an SSL/ TLS profile with both an RSA and an elliptic curve certificate. These two types of certificates can use different types of ciphers, so it is important to incorporate ciphers for both types in the profile if both types of certs may be used. As with all security, Avi Load Balancer Networks recommends diligence to understand the dynamic nature of security and to ensure that Avi Load Balancer is always up to date.

• Ciphersuites: This option exclusively configures TLS 1.3 protocol ciphers. Currently, Avi Load Balancer supports the below:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

• Early Data: This option enables TLS-v1.3-terminated applications to send application data (referred to here as early data or 0-RTT data) without having to first wait for the TLS handshake to complete. This saves one full round-trip time between the client and server before the client requests can be processed. SSL session reuse must be enabled to use the Early Data option.