For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bciesz_171056's avatar
Bciesz_171056
Icon for Cirrus rankCirrus
Aug 24, 2018

Selected client SSL does not match security policies for VS after cipher update

Hi,

I'm trying to update ciphers on one of my profiles. The one I want to use is: 

!LOW:!SSLv2:!SSLv3:!MD5:!RC4+SHA:!EXPORT:!DHE:ECDHE+AES-GCM:ECDHE+AES:AES+SHA+RSA:@STRENGTH
This works fine on another VS, but an attemtp of installing it on this one results in this error:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /EXTERNAL/vs_server_443.

Now the OK and NOK vs are a bit different, but I can't figure out which portion of the config can be responsible for this error. Let me summarize the differences:

vs_NOK_443
Protocol Profile (Client):  prot_tcp_client_name_WAN (based on tcp_wan_optimized) 
Protocol Profile (Server):  prot_tcp_client_name_LAN (based on tcp-lan-optimized)
HTTP Profile:               http_xff        

vs_OK_https 
Protocol Profile (Client):  tcp
Protocol Profile (Server):  (use Client Profile)
HTTP Profile:               http_xff_redir-rewrite

Now i do not see any difference between http-xff and http-xff_redir_rewrite is that the latter uses a Server Agent Name

Both server have two client ssl profiles and the profile in question is marked as the default profile for SNI.

application delivery
LTM
sni
ssl

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 24, 2018

    Is there multiple clientSSL profile assigned to vs_server_443?

     

    If there are multiple clientSSL profiles on the same VS, all profiles must be changed simultaneously.