Cipher Rules And Groups in BIG-IP v13
My mother used to always tell me two things before I left for school in the morning.
Be wary of what ciphers your application supports Never use the Default cipher list unless you have compatibi...
Updated Jun 06, 2023
Version 2.0
Chase_Abbott
Employee
Employee
Chase_AbbottEmployee
Employee@Ben;
I reviewed the case with the engineer and the issue in the ticket isn't quite related to what we're discussing. In your case you needed a DSS cipher which required a different key exchange (DSA) from what was supplied in your SSL profile cert/key (RSA). I don't see where cipher group changes did not propagate to the profile and subsequent virtual servers. Was that specifically discussed with the engineer?
You did have a very interesting issue where the cipher suite modifications would introduce an issue by allowing an incompatible cipher to try and answer on behalf of the RSA key exchange. RSA and DSA keys are not interchangeable so while the cipher suite can be modified to allow a DSS exchange within the cipher list, it doesn't mean it's going to work. Thank goodness for iRules.
@Piotr;
I am still going to rerun my config. My test was simple in that I was only examining the NMAP output between changes in a cipher group but I don't remember the string that I modified the cipher group from/to. I'll post my updated test to a Q&A discussion so I can show the code. I am at the Global Service Tech Summit right now so I won't be able to get back to testing until next week sometime.
-Chase