Forum Discussion

IgorS_141493's avatar
IgorS_141493
Icon for Nimbostratus rankNimbostratus
Jun 20, 2018

problems with multiple ssl profiles & SNI

Hi,

 

I'm having troubles attaching multiple SSL profiles on 1 virtual server since i'm changing the SSL Ciphers.

 

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/

 

 

Already checked this article: https://support.f5.com/csp/article/K13452

 

It are 5 different client SSL profiles.

 

3 wildcard & 2 normal certificates. It is working at this moment without any problems and i putted 1 of them as a Default SNI in the ssl profile.

 

1) *.domainname.com (default SNI profile) 2) *.olddomainname.com 3) *.x.domainname.com 4) y.domainname.com 5) z.domainname.com

 

With the new SSL profiles with different allow of ciphers i'm unable to attack more then 2 profiles. 1 with SNI and 1 without SNI.

 

Any idea how to solve this? With All the other Virtual servers with 2 or 1 SSL profiles i'm having no problems at all. Is it a problem with 1 of the SSL ciphers that is giving an issue?

 

I put this SSL cipher string into the new client SSL

 

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-TLSv1:-DTLSv1:!RSA

 

Thanks in advance. kind regards

 

LTM
security
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jun 21, 2018

    Hello, Are you trying to setup and use different cipher suites to profiles laying on the same virtual server or are you having problem to set the new cipher suite to profiles that laying on the same virtual server?

    If you chose the first, far as I know, the ssl profiles must have the same cipher suite and other flags to compatibility to work together. Plus, remember that just one must be a default SNI.

    If you chose the second one, I think you can do this at least in three ways:

    1. In line command modifying all profiles at the same time, like 

      modify ltm profile client-ssl all ciphers ''
      . Maybe not the best choice because you will change all profiles into the partition and probably include a built-in profiles.

    2. Remove all profiles from the virtual server, change profiles to that new cipher suite and then put back again that profiles to virtual server.

    3. I don't recommend to change the built-in profile, so, create a new base clientssl that use the current cipher suite first, then associate this new clientssl on the other profiles as a parent and uncheck box to use the cipher suite from parent profile, finally apply the new cipher suite to the base clientssl profile. (For me, the best choice)

    If I'm not wrong, in v13.x you could do this approach with a cipher group instead of parent base clientssl.

    Just a idea, I hope it helps you.

    Regards.