Cipher Rules And Groups in BIG-IP v13
My mother used to always tell me two things before I left for school in the morning.
Be wary of what ciphers your application supports Never use the Default cipher list unless you have compatibi...
Updated Jun 06, 2023
Version 2.0
Chase_Abbott
Employee
Employee
Benoit_Durand_1
Nimbostratus
NimbostratusBe careful.
We started using Cipher Rules/Groups in an effort to standardize the management of ciphers in all the VS we manage. What we found was that if you make a change to an existing Cipher Rules (add or restrict ciphers), those modifications are NOT applied to the SSL Profiles where that Cipher Group was previously applied. Instead, we had to de-apply and re-apply the cipher group to each and every SSL profile in order for them to pick up the changes. Since the Cipher Rule / Group is a more centralized approach to managing cipher strings, I would have expected that changes made to those Rules/Groups would have permeated to the SSL profiles in which they were applied. Keep in mind that your SSL Profile will still show the name of the Cipher Group you just modified, but the changes you made to that Cipher Group will not be reflected in the ciphers offered by your VS. F5 suggested we reload the config through CLI for those changes to be picked up, but we did not want to possibly impact the production environment so I cannot report whether that would have resolved our situation.