For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rsbs01's avatar
rsbs01
Icon for Nimbostratus rankNimbostratus
Sep 25, 2018

Changing parent profile to VIP with multiple client-ssl profiles

Hi everybaody.   I have created new profile, that defaults from client-ssl. The only thing that I changed in that new profile was to exclude some ciphers => DEFAULT:!TLSv1:!RC4. I wanted to assin...
BIG-IP
LTM
security
MvdG's avatar
MvdG
Icon for Cirrus rankCirrus
Sep 25, 2018

Hi,

 

Take a look at:

 

https://support.f5.com/csp/article/K13452

 

It states the following:

 

For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:

 

Ciphers

 

Client Authentication

 

Client Certificate

 

Frequency

 

Certificate Chain Traversal Depth

 

Advertised Certificate Authorities

 

Certificate Revocation List (CRL)

 

 

In BIG-IP 11.2.0 and later, the BIG-IP system will display an error message that appears similar to the following example if any of the settings are non-matching:

 

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/

 

 

So if you have two profiles, one with SNI and the other without SNI or different values, you get this message.

 

Regards,

 

Martijn

 

h_elyot's avatar
h_elyot
Icon for Nimbostratus rankNimbostratus
Aug 05, 2019

Hello Martijn,

 

Do you know how I can modify the parent profile of multiple SSL clients on the same VS at once, in order to modify the cipher from the default one of client ssl parent profile to an no CBC client ssl parent profile that I have created for all of them ?

 

Cause, when I modify and try to update one, I have the error message you describe here above.

 

Regards