Forum Discussion

bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

cipher help

Hi, BIG IP 11.5 I have the following profile ltm profile client-ssl clientssl { alert-timeout 10 app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-...
application delivery
BIG-IP
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Nov 12, 2017

Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:

  1. clientssl
    (vendor default). Always untouched
  2. clientssl_base
    (defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.
  3. clientssl_appspecific
    . (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.
bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

Hi, Thanks for the reply .

 

If the BOX does not support "ECDH+AESGCM" suite ,what is the point adding in profile . How do I make sure that box support ECDH+AESGCM

 

Thanks