AltostratusHi,
We are trying to enforce specific TLS version into several environment.
Can we make it happen by simply enforcing the parent 'clientssl' profile?
Or does individual profiles overwrite parent profile?
Software:
| Version | Build |
| 15.1.5.1 | 0.0.14 |
MVPIndividual profiles inherit settings by their parent profile, and you have the opportunity to overwrite those.
Usually, to meet specific requirements, you create a new custom profile that inherits clientssl "defaults" and tune it to match what you need.
TLS enforcement should be pretty easy in your version, you have several settings ready for use in Options List (flag the "custom" checkbox)
AltostratusThanks.
What we are trying to do is globally enforce TLS v1.2. We plan it to enforce via the default parent profile. Due to fact we have around thousand ssl client profiles.
For exclusion apps we cloned the default, renamed and added as parent to the excluded apps.
For the rest we'll use the default and in default options we remove v 1.0 and v 1.1.
Hopefully it'll do the job?
MVPMoinul_Rony I do not recommend modifying any default SSL profile and neither does F5 in most cases. The better option here would be to create a new SSL profile that uses the default SSL profile as a parent and then configure its settings to what you would like to use. Once you have this new SSL profile configured you can use it as the new parent profile for all your SSL profiles. This change would be relatively quick to make through the CLI on the F5 even if it's thousands of SSL profiles that you would need to update.
MVPYes, if you change parent settings it will be replicated to all "children" profiles that don't overwrite it already, starting from new SSL handshajes and not affecting existing connections.
If possible ( I know it's a big effort ), I'd still recommend considering to use a "clone" profile and update parent profile links.