Changing Client SSL profile

Hi. You should find that changes to the profile will only affect new connections. Existing (and new persistence related) connections will use the old settings until they are closed.

 

 

One profile shouldn't take more than a minute or two (although I don't actually know what you are changing). Obviously doing this at the CLI would be quicker. It might actually be better to create new profiles, it'll be easier to roll back.

 

 

As for pre and post checks I'd suggest the following as a minimum (ideally from the CLI);

 

 

-Check available disk, CPU and memory resources - make a note

 

-Check the logs to make sure the device is stable and nothing that might affect your change is being reported

 

-Check no one else is on the box

 

-Save the config on and off box

 

-Check connection levels to the VS in question - make a note

 

-Check whatever other statistics etc. that you can in relation to the function/objects you are changing

 

-Make sure you have a backout plan

 

-If it's a HA setup, make sure the standby(s) are operational and the config is in sync

 

 

-Make the change

 

 

-Compare everything you recorded pre-change with the post-change state/statistics

 

-Check the logs

 

-Test, test, test

Hi Steve

 

 

Thanking you very much for the detailed explaination.

 

 

So far I know that i will be changing the existing client ssl profile through GUI, I will login into the BIP-IP BOX through TASCAS, where i can view and access all the box located in different location.

 

first need to check that what SSL certificate in client profile and if they are using ssl2.0 and TLS 1.0... then change it to the new SSL certificate which include TLS 1.2+RC4 alond with the old string..

 

 

If I am change through the GUI what are the things I need to check before changing the profile. Also please could you give brief idea what services could it effect if I am chaning the existing client profile, As I need to draft an change release plan and request to approve what I am changing.

 

 

What would be the backout plan/roll back plan ???... as far my understanding what I have seen so far i that the new string will be having old string as well.. so when the client browser try to connect through ssl then first it will go through TSL1.2 and then RC4 and if the broswer is not supported then i will go ahead with the old string, example is :TLSv1_2:RC4:SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM... am i right

 

 

Many thanks

 

R

Also please could you give brief idea what services could it effect if I am chaning the existing client profile, As I need to draft an change release plan and request to approve what I am changing. as Steve mentioned, new connection to virtual server using that clientssl profile will be affected (i.e. using the new setting).

sol13253: Configuration changes to local traffic objects do not affect existing connections

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html

you can display ssl cipher suite list used by bigip using tmm --clientciphers command.

e.g.

[root@ve10:Active] config  tmm --clientciphers 'TLSv1_2:RC4:SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   4 RC4-MD5                         128  TLS1.2  Native RC4    MD5    RSA
 1:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 4:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
 5:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
 6:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
 7:   4 RC4-MD5                         128  TLS1  Native RC4    MD5    RSA
 8:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA
 9:   4 RC4-MD5                         128  SSL3  Native RC4    MD5    RSA
10:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
11:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA
12:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
13:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
14:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA
15:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
16:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
17:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA
18:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
19:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA

to test cipher, you may use "openssl s_client" or "curl". there is an option to specify cipher you want to use.

hope this helps.

Thanks Nitass, Very helpful.