How to get client SSL profile to inerhit parent cipher suite in SNI config?

Hi SteveMP,

as Hannes have already pointed out, the solution is to uncheck the Chipher-Suite settings so that the profile will inherit the settings from its parent profile.

When using SNI, make sure that you configure security related settings only in the SNI-Default Profile and that every other SNI-related profile will inherit thoose settings.

Basically you have to create the folling profiles / inheritance

- ClientSSL-Profile
     Contains default settings
    - SNI-Default-Profile
         Inherits all settings from the ClientSSL-Profile
         MAY contains custom chiphers, security and ssl settings
         MUST be the default Profile for SNI
        - Additional SNI-Profiles
             Inherits all settings from the SNI-Default-Profile
             MUST NOT be the default SNI Profile
             MUST have a SNI value configured

To bulk change the involved profiles without getting security warnings, you may...

a.) Temporary detach all profiles from the virtual server, tweak the settings as outlined above and then attach the changed profile again. This change can be performed on the standby unit to not affect live traffic. After the change is complete synch the configuration or perform a failover.

b.) Create a new set of SNI-enabled SSL Profiles, tweak the settings as outlined above and then replace the old profile with the just created profiles. Then delete the old SSL Profiles...

c.) Export the existing SSLProfile configuration via

tmsh list ltm profile client-ssl

tmsh load sys config merge from-terminal

Cheers, Kai