How to get client SSL profile to inerhit parent cipher suite in SNI config?

Question

Hello,&nbsp;
A security audit has found some issues with cipher suites in use in the default SSL client profiles(v12.1.2).  Since this Virtual Server uses SNI, I am unable to modify the client profiles directly, otherwise I get an error that the security doesn't match for the virtual server(since there are 3 other client profiles assigned to virtual server).  I created a new client SSL profile with a more secure cipher suite, and tried using that as the parent, however the client basically ignores the parent profile setting since the child profile contains "DEFAULT" in ciphers.  Is there a way to have the client profile inherit the parent's cipher suite?  I tried removing "DEFAULT" and leaving it blank, but that also throws the security error.  Otherwise I will have to remove the 3 production profiles from the Virtual Server, causing a production outage.  Seems rather silly.&nbsp;
Thanks.&nbsp;

hannes_rapp · Answer

Use the tickbox, unticking any custom configuration for that cipher configuration field instead of erasing its current config. It should grey out and that's when it fetches the configuration from parent profile. If it doesn't, then you're facing a GUI misleading info bug. I recall this bug of misleading GUI information in clientssl profiles occurred after 10.2.4 to 11.5.x upgrades. It's unlikely this ever got fixed. The workaround solution is to configure inherit settings in TMSH (or /config/bigip.conf and loaded in). This needs to be done once for all clientssl profiles that have one or more parents.

hannes_rapp_162 · Answer

Use the tickbox, unticking any custom configuration for that cipher configuration field instead of erasing its current config. It should grey out and that's when it fetches the configuration from parent profile. If it doesn't, then you're facing a GUI misleading info bug. I recall this bug of misleading GUI information in clientssl profiles occurred after 10.2.4 to 11.5.x upgrades. It's unlikely this ever got fixed. The workaround solution is to configure inherit settings in TMSH (or /config/bigip.conf and loaded in). This needs to be done once for all clientssl profiles that have one or more parents.

stevemp · Answer

Ah ok, thanks. That seems to be it, so now I get the error "Selected client SSL profiles do not match security policies for Virtual Server /". So it goes back to the limitation since its SNI that all profiles have to be identical. Which is odd, should be a warning, click ok to proceed. Not completely stop me from doing it. Oh well, guess I will have to schedule some downtime for production in order to test with the test site...

stevemp · Answer

Ah ok, thanks. That seems to be it, so now I get the error "Selected client SSL profiles do not match security policies for Virtual Server /". So it goes back to the limitation since its SNI that all profiles have to be identical. Which is odd, should be a warning, click ok to proceed. Not completely stop me from doing it. Oh well, guess I will have to schedule some downtime for production in order to test with the test site...

kai_wilke · Answer

Hi SteveMP,
as Hannes have already pointed out, the solution is to uncheck the Chipher-Suite settings so that the profile will inherit the settings from its parent profile. 
When using SNI, make sure that you configure security related settings only in the SNI-Default Profile and that every other SNI-related profile will inherit thoose settings.
Basically you have to create the folling profiles / inheritance
- ClientSSL-Profile
     Contains default settings
    - SNI-Default-Profile
         Inherits all settings from the ClientSSL-Profile
         MAY contains custom chiphers, security and ssl settings
         MUST be the default Profile for SNI
        - Additional SNI-Profiles
             Inherits all settings from the SNI-Default-Profile
             MUST NOT be the default SNI Profile
             MUST have a SNI value configured

To bulk change the involved profiles without getting security warnings, you may...
a.) Temporary detach all profiles from the virtual server, tweak the settings as outlined above and then attach the changed profile again. This change can be performed on the standby unit to not affect live traffic. After the change is complete synch the configuration or perform a failover.
b.) Create a new set of SNI-enabled SSL Profiles, tweak the settings as outlined above and then replace the old profile with the just created profiles. Then delete the old SSL Profiles...
c.) Export the existing SSLProfile configuration via tmsh list ltm profile client-ssl, change the config settings as outlined above, import the changed configuration via tmsh load sys config merge from-terminal
Cheers, Kai

Forum Discussion

How to get client SSL profile to inerhit parent cipher suite in SNI config?

5 Replies

Recent Discussions

redirect not working

Access azure app service using f5 LTM

Reliable resources for identifying IP addresses

Issue on license renewal

Viprion files on blades.

Related Content

SSL Profiles

Server Profile SNI

virtual server config

Update your DevCentral user profile

Config NGINX to F5