Disable DHE Ciphers - SSL Parent Profile

Question

I'm currently running 11.6.0 on most of my devices and am looking to upgrade passed version 12.0 in the near future. Looking at the iHealth Upgrade Advisor, I need to disable DHE ciphers on all of my Server SSL Profiles before upgrading. &nbsp;
I added  DEFAULT:!EXPORT:!DHE  to one of my Server SSL Profiles and it is no longer getting flagged in iHealth. Can I add that string to the Server SSL parent profile, or do I have to add that to each profile individually? Will updating the parent profile have any adverse effects on my other profiles, or would the Cipher settings be the only thing that changes? &nbsp;

simon_blakely · Answer

F5 recommends that you do not modify a default profile (like the serverssl profile).  
&nbsp;
What you should do is create a new site-default server-ssl profile, and change the Parent Profile on all your existing server-ssl profiles to this new site-default profile.&nbsp;
Then (in future) is you need to modify a setting on all your server-ssl profiles, you can make that change on your site-default profile and pass it to all the child profiles.&nbsp;
You can override an inherited option in a child profile by setting the custom checkbox for a specific option.&nbsp;

Forum Discussion

Disable DHE Ciphers - SSL Parent Profile

1 Reply

Recent Discussions

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

Related Content

Disabling Weak Ciphers

Disable below cipher

How to disable weak cipher from Client SSL Profile

Disabling Ciphers

Capture Virtual Server Clientssl Profile & Ciphers Mapping - Bash