Forum Discussion

rsbs01's avatar
rsbs01
Icon for Nimbostratus rankNimbostratus
Sep 25, 2018

Changing parent profile to VIP with multiple client-ssl profiles

Hi everybaody.

 

I have created new profile, that defaults from client-ssl. The only thing that I changed in that new profile was to exclude some ciphers => DEFAULT:!TLSv1:!RC4. I wanted to assing that profile as new parent profile to several VIPs. Basically this worked. However on on VIP I received following error => 0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server

 

That VIP had 2 client-ssl profiles, one was of course default-SSL profile for SNI. But when I applied new parent profile even tho this client-ssl profile, I received the above mentioned error.

 

Could you please help here?

 

BIG-IP
LTM
security

3 Replies

Sort By
  • Martijn_van_de1's avatar
    Martijn_van_de1
    Icon for Cirrus rankCirrus
    Sep 25, 2018

    Hi,

     

    Take a look at:

     

    https://support.f5.com/csp/article/K13452

     

    It states the following:

     

    For security purposes, F5 recommends that you configure the following settings with the same values for all of the SSL/TLS SNI profiles associated with the same virtual server:

     

    Ciphers

     

    Client Authentication

     

    Client Certificate

     

    Frequency

     

    Certificate Chain Traversal Depth

     

    Advertised Certificate Authorities

     

    Certificate Revocation List (CRL)

     

     

    In BIG-IP 11.2.0 and later, the BIG-IP system will display an error message that appears similar to the following example if any of the settings are non-matching:

     

    0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/

     

     

    So if you have two profiles, one with SNI and the other without SNI or different values, you get this message.

     

    Regards,

     

    Martijn

     

    • h_elyot's avatar
      h_elyot
      Icon for Nimbostratus rankNimbostratus
      Aug 05, 2019

      Hello Martijn,

       

      Do you know how I can modify the parent profile of multiple SSL clients on the same VS at once, in order to modify the cipher from the default one of client ssl parent profile to an no CBC client ssl parent profile that I have created for all of them ?

       

      Cause, when I modify and try to update one, I have the error message you describe here above.

       

      Regards

      • canttalkeating's avatar
        canttalkeating
        Icon for Altocumulus rankAltocumulus
        Dec 14, 2019

        Hello h.elyot,

         

        I doesn't look like you can change the cipher values at the parent level and have them propagate down to all child SSL profiles dependent on that parent.

         

        You can change other attributes within the Client SSL Parent profile that will be reflected in the child profiles but not the ciphers.

         

        I wouldn't recommend ever changing the default values of any BIG-IP profiles as a best practice

         

        Cheers,

         

        David