Forum Discussion

SteveMP's avatar
SteveMP
Icon for Nimbostratus rankNimbostratus
Aug 30, 2017

How to get client SSL profile to inerhit parent cipher suite in SNI config?

Hello,   A security audit has found some issues with cipher suites in use in the default SSL client profiles(v12.1.2). Since this Virtual Server uses SNI, I am unable to modify the client profile...
application delivery
LTM
security
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Aug 30, 2017

Use the tickbox, unticking any custom configuration for that cipher configuration field instead of erasing its current config. It should grey out and that's when it fetches the configuration from parent profile. If it doesn't, then you're facing a GUI misleading info bug. I recall this bug of misleading GUI information in clientssl profiles occurred after 10.2.4 to 11.5.x upgrades. It's unlikely this ever got fixed. The workaround solution is to configure inherit settings in TMSH (or /config/bigip.conf and loaded in). This needs to be done once for all clientssl profiles that have one or more parents.

 

SteveMP's avatar
SteveMP
Icon for Nimbostratus rankNimbostratus
Aug 30, 2017

Ah ok, thanks. That seems to be it, so now I get the error "Selected client SSL profiles do not match security policies for Virtual Server /". So it goes back to the limitation since its SNI that all profiles have to be identical. Which is odd, should be a warning, click ok to proceed. Not completely stop me from doing it. Oh well, guess I will have to schedule some downtime for production in order to test with the test site...