Cipher Rules And Groups in BIG-IP v13
My mother used to always tell me two things before I left for school in the morning.
Be wary of what ciphers your application supports Never use the Default cipher list unless you have compatibi...
Updated Jun 06, 2023
Version 2.0
Chase_Abbott
Employee
Employee
Cyril_M
Altostratus
AltostratusThanks a lot Chase, for both your interesting article and feedback ! I learned a lot.
The reason I'm putting this on the table is because I just upgraded from v12 to v14.1.2 and a lot of warnings were raised in the upgrade log file related to Ciphers in SSL profiles, The upgrade procedure created a new server SSL profile by the name my first https monitor in the alphabetical order, and applied it to all my https monitors ... That was kind of an unexpected behavior, so I did my researches and ended up here, wondering what was the best way to move back closer to the F5 standards :)
And I must confess I'm still not sure about the best config I can make, because your exemple shows what can be done with the new tool, but not what should be done to get an A at Qualys scan for instance ...
BTW, that could also be a way to make the cipher list management more user-friendly to sort them by Qualys rating "as of the day of the tmos release". Today that's how I proceed, by publishing a test website online and running the scan to see if my SSL profile is fine, but it takes time and it requires a public access to the website, not everyone have both :)