Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Does parent SSL profile takes precedence in individual SSL Client Profile?

Moinul_Rony
Altostratus
Altostratus

‎02-Apr-2023 22:00

Hi, 

We are trying to enforce specific TLS version into several environment.

Can we make it happen by simply enforcing the parent 'clientssl' profile?

Or does individual profiles overwrite parent profile?

Software: 

VersionBuild
15.1.5.10.0.14
Labels:
0 Kudos
4 REPLIES 4

CA_Valli
MVP
MVP

‎03-Apr-2023 03:11

Individual profiles inherit settings by their parent profile, and you have the opportunity to overwrite those.

Usually, to meet specific requirements, you create a new custom profile that inherits clientssl "defaults" and tune it to match what you need.

TLS enforcement should be pretty easy in your version, you have several settings ready for use in Options List (flag the "custom" checkbox)

CA_Valli_0-1680516610535.png

 

Moinul_Rony
Altostratus
Altostratus
In response to CA_Valli

‎03-Apr-2023 03:33

Thanks. 
What we are trying to do is globally enforce TLS v1.2. We plan it to enforce via the default parent profile. Due to fact we have around thousand ssl client profiles.

For exclusion apps we cloned the default, renamed and added as parent to the excluded apps.

For the rest we'll use the default and in default options we remove v 1.0 and v 1.1.

Hopefully it'll do the job?

0 Kudos

Paulius
MVP
MVP
In response to Moinul_Rony

‎03-Apr-2023 06:35

@Moinul_Rony I do not recommend modifying any default SSL profile and neither does F5 in most cases. The better option here would be to create a new SSL profile that uses the default SSL profile as a parent and then configure its settings to what you would like to use. Once you have this new SSL profile configured you can use it as the new parent profile for all your SSL profiles. This change would be relatively quick to make through the CLI on the F5 even if it's thousands of SSL profiles that you would need to update.

0 Kudos

CA_Valli
MVP
MVP

‎03-Apr-2023 03:40

Yes, if you change parent settings it will be replicated to all "children" profiles that don't overwrite it already, starting from new SSL handshajes and not affecting existing connections. 

If possible ( I know it's a big effort ), I'd still recommend considering to use a "clone" profile and update parent profile links. 

0 Kudos
Copyright © 2023 Khoros, LLC