The SSL tab explains the SSL settings for the pool.

This enables SSL encryption between the Avi Load Balancer Service Engine and the back-end servers. This is independent from the SSL option in the virtual service, which enables SSL encryption from the client to the Avi Load Balancer Service Engine.

In Create Pool window, click SSL tab.

SSL Profile: The Service Engine re-encrypts traffic to the backend servers. The specific SSL profile defines which ciphers and SSL versions will support when negotiating SSL with the server.. You can select the required option from the drop-down menu. The following are the options available in the drop-down menu:

  • System-Standard

  • System-Standard-PFS

  • System-Standard-Portal

  • System-GSLB-Standard-PFS

Server SSL Certificate Validation PKI Profile: Select the SSL certificate present by a server against the selected PKI profile. You can select the required option from the drop-down menu. This option validates the certificate presented by the server. When not enabled, the Service Engine automatically accepts the certificate presented by the server when sending health checks. Refer to the PKI Profile section for more help on certificate validation.

Service Engine Client Certificate: When establishing an SSL connection with a server, either for normal client-to-server communications or when executing a health monitor, the Service Engine will present this certificate to the server. Select the Service Engines that will present a client SSL certificate to the server from the drop-down menu. The following are the options available in the drop-down menu:

  • System-Default-Cert

  • System-Default-Cert-EC

  • ssoassert-appcert

  • entrust_ec_cert_app

  • entrust_rsa_cert_app

Enable Common Name Check: Check this box to enable common name check for server certificate. If no explicit domain name is specified, then the Controller will use the incoming host header to do the match.

  • Domain Names: Specify the comma separated list of domain names to verify the common names or subject alternative names presented by server certificates.

Enable TLS SNI: Check this box to enable TLS SNI for server connections. If this is not enabled, then the Controller will not send the SNI extension as part of the handshake.

  • TLS SNI Server Name: Specify the qualified DNS hostname used in TLS SNI extension in server connections if SNI is enabled. If you do not specify any value, then incoming host header is used by default.

  • Rewrite Host Header to SNI Name: Check this box if you have specified SNI server name. Rewrite the incoming host header to the name of the server to which the request is proxied. Enabling this feature rewrites the host header of requests sent to all servers in the pool.