I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. I discovered that I'm unable to update a single profile that's applied to a virtual server that has others with a (then) mismatched security policy. The support article from F5 says that I will have to remove all of the client SSL profiles from the server, update them all, and then re-add them all back. (https://support.f5.com/csp/article/K04316654)
Is it possible that something like this could be scripted so that 1) I can reduce the amount of hand-work editing each of these individual profiles and 2) more importantly reduce the maintenance window that I'll inevitably need to schedule as removing the profiles will cause an interruption in my production web traffic.
Or any other angles to this that I'm not seeing that might make this a smoother adjustment?
My 14.1.4 lets me - what version are you on, and is it just the ciphers you are changing or something else too?
Anyway, there here a few options:
1. Use a custom parent profile.
With over 100 profiles, using a custom parent profile for them all is a really good idea so that you can manage the shared settings in one place. Do not modify the base profile (/Common/clientssl).
Start by creating a profile that customises nothing, and still has the "DEFAULT" cipher string. Then edit each profile to use that new profile as a parent, and uncheck the Cipher custom checkbox (right-hand side) to inherit the ciphers. Finally, edit the ciphers in the parent profile.