Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:
clientssl
(vendor default). Always untouchedclientssl_base
(defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.clientssl_appspecific
. (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.