Forum Discussion
SIP_354925
Nimbostratus
NimbostratusServer SSL Profile
Can someone explain this in the server ssl profile properties. I thought that the BIG-IP was server cipher preference. So between the BIG-IP and server the BIG-IP is the client. But from the statement below this is saying the opposite. Please explain.
Cipher server preference: When the BIG-IP system chooses a cipher, this option uses the server's preferences instead of the client preferences. When this option is not set, the SSL server always follows the clients preferences. When this option is set, the SSLv3/TLSv1 server chooses by using its own preferences. For SSLv2, the server sends its list of preferences to the client, and the client always chooses the cipher.
Greetings,
I think the intent of this option is to cause BIG-IP to pause the client side SSL connection, handshake with the server, get the server's cipher and then negotiation with the client using that cipher. However, I don't believe this option works based on this article which probably needs an update:https://support.f5.com/csp/article/K12390
Hope this is helpful!
Kevin
SIP_354925Thanks for the response and explanation. Agreed. That article needs an update.
Your welcome. I've requested an update for the article.
After digging in a bit more, I'd like to confirm that you were correct in your initial summary:
"I thought that the BIG-IP was server cipher preference"
So if this bug is fixed, either the option will be removed, or another possible option could be to move this into the enabled box of the SSL profile.
Kevin
- SIP_354925
Thanks!!
