Forum Discussion

CWall_333_32537's avatar
CWall_333_32537
Icon for Nimbostratus rankNimbostratus
Apr 25, 2018

extra serverssl profiles in the bigip.conf

Hello:

I recently discovered that 7 of our LTMs had a serverssl profile in the bigip.conf. (with additional options)

All the rest do not have any serverssl profile in the bigip.conf.

By default that profile is defined in the profile_base.conf.

There seem to be options that are added that I can't find in the GUI.

app-service none
expire-cert-response-control drop
generic-alert enabled
proxy-ssl disabled
renegotiation enabled
retain-certificate true
secure-renegotiation request
server-name none
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
ssl-sign-hash any
untrusted-cert-response-control drop

I don't know how long they have been there, or why ... any thoughts ?

I am thinking we should remove them and get our overall environment configuration to be standard.

5 Replies

  • You are required to choose the advanced configuration. When you select the profile, you are showed only the basic configuration.

     

    Click on the advanced, you will see every option.

     

  • profile_base.conf contains the original default profiles. only after making changes to them they show up in your bigip.conf.

     

    as for the "extra" options they do seem quite normal, SNI, SSL forward proxy, i see those in my GUI, bit different names but they are there.

     

    stuff like app-service is when used with iApps, so you don't see those directly in the GUI if they are not used.

     

    i wouldn't worry too much about it as long as the settings are further equal.

     

  • tmsh list ltm profile server-ssl serverssl all-properties on the command line gets all the options and parameters ....

     

    But now I have a different issue. I set the parameters to the defaults they should be in the 2nd serverssl profile located in the bigip.conf.

     

    (the serverssl profile is also in the profiles_base.conf where it should be)

     

    I want to remove the serverssl profile that is in 7 out of 64 LTMs so that we are all standard and that every time we update TMOS we won't have to check the parameters to see if anything has changed in those 7 LTM bigip.conf files.

     

    Cannot delete it from the CLI or GUI ... I tried editing the bigip.conf to remove it, (reloaded the config) but found some of our ssl profiles are still looking for their parent "defaults-from" profile where it was in the bigip.conf.

     

    Is there any way to force the ssl profiles to use the serverssl profile that is default in the profile_base.conf ?

     

  • i still don't quite get your exact problem, it will probably be easier to contact F5 support and provide them to full configs. once you start touching those defaults i would want to double check that with F5 support for sure.

     

  • We are not touching the defaults, the serverssl profile is in profile_base.conf that is the default.

     

    Obviously in the past someone did touch the defaults, probably using the gui. That creates a new serverssl profile in the bigip.conf with the changes made.

     

    Since bigip.conf gets loaded after the profile_base.conf ... the serverssl profile in the bigip.conf overwrites.

     

    I'm trying to clean that up. First I set all the parameters in the serverssl profile in the bigip.conf BACK to the correct default option parameters that the serverssl profile in the profile_base.conf and waited some time to make sure all was well.

     

    I am trying to remove the serverssl profile from the bigip.conf. It is redundant, it re-loads all the same option parameters that the serverssl profile in the profile_base.conf has.

     

    Also we will have to check those 7 profiles if there are any changes in any future software versions because the updates will not update a serverssl profile in the bigip.conf, only in the profile_base.conf.

     

    But I just can't find a way to get rid of it because if I remove it and reload I the LTMs sync is broken.

     

    Sync error on /Common/ourltm.company.com: Load failed from /Common/ourltm.company.com 01020036:3: The requested parent profile (/Common/serverssl) was not found.