Forum Discussion

Erlend_123973's avatar
Erlend_123973
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

SSL Profile cipher inheritance

Hi,

 

I have some problem understanding how inheritance of the cipher option is inherited using parent profiles.

 

Consider this example: The SSL Server Profile "sslserver_parent" has cipher suite rc4-md5. I then create a new SSL Server Profile named "sslserver_custom" , with the "sslserver_parent" profile as its parent.

 

What will happen when I override the cipher option on the "sslserver_custom" with i.e. RC4-SHA.

 

Will the result be: RC4-MD5:RC4-SHA, or will it not inherit RC4-MD5, and simply be RC4-SHA ?

 

  • Updated values are rewritten. If you have RC4-MD5 in the parent and change the child to RC4-SHA, the resultant cipher string will only include RC4-SHA. You can test this with an ssldump on the server side VLAN.

    ssldump -AdNn -i [server side vlan] port 443 and host [IP of backend server]
    

    Since the BIG-IP is the client in this case, it'll send its complete supported cipher list in its ClientHello message.

  • Although I'm not 100% sure this is how it works, I believe that in creating a profile with a parent profile, any modifications will be full overwrites rather than just adding.

     

    The reason I say this is that as I look at the profile, all the inherited values come over, and I can check which ones to modify. In the case of most if not all the other properties, logically the values would need to be fully replaced, not just augmented (e.g. cert key chain, cache size & timeout, etc...). Since everything else seems like it would be overwritten, my presumption would be that you would have to use the full value as you mentioned.

     

    Hope this helps.