Forum Discussion
h_elyot
Nimbostratus
NimbostratusChange Parent SSL profile of 3 SSL Clients on the same Virtual Server
Hello,
I currently have client SSL profiles attached to one Virtual Server. Their parent profile is the default "clientssl".
In order to avoid using week ciphers, I have created a "no_CBC" cipher rule with the following string and which has "clientssl" has parent profile :
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
I would like to use "no_CBC" has parent profile for the 3 SSL profiles attached to the Virtual Server, but when I try to update one or another, the system gives me the following error :
0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/XXX
I have read somewhere here that I have to update all 3 SSL profiles at once. If it's correct, How can I do that?
If not, what is the issue here and how to modify parent profile of those SSL client profiles?
Regards
No problem.
Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.
Something like this:
[root@bigip:Active:Standalone] config # tmsh root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1 ltm profile client-ssl test1 { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none } root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none defaults-from no_CBC } Loading configuration... root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt defaults-from no_CBC inherit-certkeychain true key default.key passphrase none }
jonwest1_ukCirrus
No problem.
Yes I would probably use tmsh to list them out, copy the profiles you're interested in to a text editor, change the profile name and defaults-from value from clienssl to no_CBC. Then I would use load /sys config merge from-terminal to add it into the config.
Something like this:
[root@bigip:Active:Standalone] config # tmsh root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1 ltm profile client-ssl test1 { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none } root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# load /sys config merge from-terminal Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt inherit-certkeychain false key default.key passphrase none defaults-from no_CBC } Loading configuration... root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile client-ssl test1_new ltm profile client-ssl test1_new { app-service none cert default.crt cert-key-chain { default_default { cert default.crt chain default.crt key default.key } } chain default.crt defaults-from no_CBC inherit-certkeychain true key default.key passphrase none }- jonwest1_uk
Hi, you've got a couple of options. You can either remove the client SSL profiles from being assigned to the Virtual server, change their parent and they re-add them.
Or if this isn't an option create new client SSL profiles that are using "no_CBC" as a parent then swap them out on the virtual server for the existing 3 profiles.
h_elyotHello jonwest1_uk and thank you for your answer.
If I want to avoid turning the Virtual Server down in order to safely switch SSL profiles, I have to go with option 2. Then, is there a way to make a copy of client SSL profile, to be sure the 3 new ones I will create are the same than the 3 existing ones (except the parent profile I will change for "no_CBC" ?