For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

9 Replies

  • Chris_56952's avatar
    Chris_56952
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2015

    I won't say this is a best practice but I never renew certs on my BigIP ssl terminated VIPs. I generate new keys several weeks prior to the expiration time. I then submit the CSR for the new certificate and create new ssl client profiles once the new certificate is received. (My CA doesn't charge less for renewals vs. new) When implementing the change, I apply the new client ssl profile to the virtual server (so I have the previous one available to back out to if necessary). There is no downtime unless there is a mistake made when setting up the new client ssl profile but, this way, you have the old one to revert back to if there is a problem. (And, lately, with the whole SHA1 to SHA2 migration, disabling RC4 ciphers or SSLv3, adding GCM ciphers or those supporting Forward Secrecy, there could be problems, especially with older clients...) As soon as the new profile is applied, new client connections will use the new cert and existing clients will have to re-do the ssl handshake.

     

    Once you set the new client ssl profile on the VIP, use the tools provided by the CA to ensure the certificate chain is accurate (assuming they offer one) and you're all set.

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 26, 2015

    Hi Chris, thanks for the information. just to confirm, when we replaced the new ssl profile (with the new cert and keys) on the existing virtual server, will there be any downtime impacted during this update? please advise how would updating of the new ssl certs affect SHA1 to SHA2 migration, disabling RC4 ciphers or SSLv3, adding GCM ciphers or those supporting Forward Secrecy?

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    Hi Alex, the SSL certificate is offloaded in the load balancer, does the load balancer log all cryptographic module failures?

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    Hi Alex, the SSL certificate is offloaded in the load balancer, does the load balancer log all cryptographic module failures?

     

  • alex100's avatar
    alex100
    Icon for Cirrostratus rankCirrostratus
    Oct 27, 2015

    Yes. You can control level of logging for SSL in System ›› Logs ›› Configuration.

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Oct 27, 2015

    Please advise what is the default and recommended setting for the SSL logging?

     

  • dw_888_212625's avatar
    dw_888_212625
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2015

    Please advise what is the default and recommended setting for the SSL logging? and how can we access to check on the logs?

     

  • alex100's avatar
    alex100
    Icon for Cirrostratus rankCirrostratus
    Nov 05, 2015

    The default and recommended for most situations is "Warnings", but it really depends what you are trying to achieve. I wouldn't elevate to higher level unless I am troubleshooting SSL related issue. Events related to SSL processing are logged in LTM log /var/log/ltm.