Cipher Rules And Groups in BIG-IP v13
My mother used to always tell me two things before I left for school in the morning.
Be wary of what ciphers your application supports Never use the Default cipher list unless you have compatibi...
Updated Jun 06, 2023
Version 2.0
Chase_Abbott
Employee
Employee
Benoit_Durand_1
Nimbostratus
Nimbostratus@Piotr,
That's exactly my point. After you've changed your cipher group configurations, you have to go to each client profile, select another cipher group, save, re-select your original one, save, in order for your cipher group changes to be applied. This is counter-intuitive, time consuming and prone to omissions if you have a large number of client profiles using that cipher group.
It can also be misleading since Big-IP's cipher audit lists what should be expected, not what the VS actually supports after the change. Could also be a security concern where administrators may think they patched a security issue with weak protocols / ciphers when in fact they will not have.
I'm a bit disappointed. Unless it is fixed, I now feel that it's better to have the cipher string directly in the client profile instead of a Cipher Group. With a Cipher Group, if you made changes to the group you don't know if your profile needs "updating" or no. With a cipher string, what you have there is what you get, so there is no misunderstanding. Cipher Groups would be a great way to standardize and simplify cipher string configurations if changes could automatically permeate to all the Client SSL profiles on which they are applied.
- Ben