Forum Discussion
NimbostratusChanging parent profile to VIP with multiple client-ssl profiles
CirrusHi,
Take a look at:
https://support.f5.com/csp/article/K13452
It states the following:
For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:
Ciphers
Client Authentication
Client Certificate
Frequency
Certificate Chain Traversal Depth
Advertised Certificate Authorities
Certificate Revocation List (CRL)
In BIG-IP 11.2.0 and later, the BIG-IP system will display an error message that appears similar to the following example if any of the settings are non-matching:
0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/
So if you have two profiles, one with SNI and the other without SNI or different values, you get this message.
Regards,
Martijn
NimbostratusHello Martijn,
Do you know how I can modify the parent profile of multiple SSL clients on the same VS at once, in order to modify the cipher from the default one of client ssl parent profile to an no CBC client ssl parent profile that I have created for all of them ?
Cause, when I modify and try to update one, I have the error message you describe here above.
Regards
canttalkeatingAltocumulus
Hello h.elyot,
I doesn't look like you can change the cipher values at the parent level and have them propagate down to all child SSL profiles dependent on that parent.
You can change other attributes within the Client SSL Parent profile that will be reflected in the child profiles but not the ciphers.
I wouldn't recommend ever changing the default values of any BIG-IP profiles as a best practice
Cheers,
David
