Cipher Rules And Groups in BIG-IP v13

@Chase,

First, my apologies for misleading you. The case in question was actually C2590010 which was later followed by C2632482, not the one about RSA vs. DSA.

Second, I think I nailed the symptoms. Running 13.1.6 in my lab, I'm using "TestSSLServer" on a client PC to test what ciphers are supported by the F5 VS. I created a node, pool, SSL Client profile, VS (20.1.1.10%8) and cipher rule/group in the Common partition. Then I also created a new partition in the same route-domain as Common (%8 in my case) so routes,self-IPs and all are shared. In that partition, I created a new pool, SSL profile, VS (20.1.1.30%8), etc. I used the same Cipher Group found in the Common partition for that profile.

With "DEFAULT" as cipher string in the cipher group, both VS presented the same ciphers through TestSSLServer. Then I changed the cipher string to "DEFAULT:!TLSv1:!TLSv1_1" in that Cipher Rule and ran the same tests using TestSSLServer. The VS at 20.1.1.10%8 in the Common partition picked up the updates and presented only TLS1.2 ciphers. The VS at 20.1.1.30%8 in the other partition did not, and still presented TLS1.0 and 1.1 ciphers. I then manually went to the SSL Client profile in the customer partition, picked one of the vanilla F5 Cipher Groups, applied, re-selected my original Cipher Group from common, applied, ran TestSSLServer once more and it then presented the correct TLS1.2 only ciphers.

So, it seems that the propagation of the Cipher Group changes in "Common" were propagated to the SSL Client profile in that same partition, but not to the one in custom partition.

Simple to recreate: build a Pool/VS/Client SSL Profile in Common and one in a separate partition, both using the same Cipher Group configured in Common, make changes to the Cipher Rule and observe the results. I'm about to test with 13.1.7.

Hope this helps.

• Ben