Cipher Rules And Groups in BIG-IP v13

@Ben;

I reviewed the case with the engineer and the issue in the ticket isn't quite related to what we're discussing. In your case you needed a DSS cipher which required a different key exchange (DSA) from what was supplied in your SSL profile cert/key (RSA). I don't see where cipher group changes did not propagate to the profile and subsequent virtual servers. Was that specifically discussed with the engineer?

You did have a very interesting issue where the cipher suite modifications would introduce an issue by allowing an incompatible cipher to try and answer on behalf of the RSA key exchange. RSA and DSA keys are not interchangeable so while the cipher suite can be modified to allow a DSS exchange within the cipher list, it doesn't mean it's going to work. Thank goodness for iRules.

@Piotr;

I am still going to rerun my config. My test was simple in that I was only examining the NMAP output between changes in a cipher group but I don't remember the string that I modified the cipher group from/to. I'll post my updated test to a Q&A discussion so I can show the code. I am at the Global Service Tech Summit right now so I won't be able to get back to testing until next week sometime.

-Chase