Forum Discussion
SSL Profile cipher inheritance
Hi,
I have some problem understanding how inheritance of the cipher option is inherited using parent profiles.
Consider this example: The SSL Server Profile "sslserver_parent" has cipher suite rc4-md5. I then create a new SSL Server Profile named "sslserver_custom" , with the "sslserver_parent" profile as its parent.
What will happen when I override the cipher option on the "sslserver_custom" with i.e. RC4-SHA.
Will the result be: RC4-MD5:RC4-SHA, or will it not inherit RC4-MD5, and simply be RC4-SHA ?
- Kevin_StewartEmployee
Updated values are rewritten. If you have RC4-MD5 in the parent and change the child to RC4-SHA, the resultant cipher string will only include RC4-SHA. You can test this with an ssldump on the server side VLAN.
ssldump -AdNn -i [server side vlan] port 443 and host [IP of backend server]
Since the BIG-IP is the client in this case, it'll send its complete supported cipher list in its ClientHello message.
- Michael_JenkinsCirrostratus
Although I'm not 100% sure this is how it works, I believe that in creating a profile with a parent profile, any modifications will be full overwrites rather than just adding.
The reason I say this is that as I look at the profile, all the inherited values come over, and I can check which ones to modify. In the case of most if not all the other properties, logically the values would need to be fully replaced, not just augmented (e.g. cert key chain, cache size & timeout, etc...). Since everything else seems like it would be overwritten, my presumption would be that you would have to use the full value as you mentioned.
Hope this helps.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com