Forum Discussion

Teemu_Kunnari_1's avatar
Teemu_Kunnari_1
Icon for Nimbostratus rankNimbostratus
Jan 26, 2018

Use different ciphers for a host when using policies

Hello,

 

I was wondering if it possible to use different ciphers for different hosts (e.g test123.com) when using policies to forward traffic to different pools on the same virtual server?

 

I can't modify the whole ssl client profile that is attached to the virtual server because tightened ciphers could break some sites that are not test123.com

 

BR

 

Teemu

 

3 Replies

  • I dont think its possible, i was testing same thing with SNI SSL profiles but they are not working if profiles are on diff chipers.

     

    i hope,all SSL profile should have same ciphers.

     

    Let see if any one tested diff way.

     

    Thx

     

    Srini

     

    • Teemu_Kunnari_1's avatar
      Teemu_Kunnari_1
      Icon for Nimbostratus rankNimbostratus

      But there is the option when configuring a policy:

       

      Match all of the following conditions: CLIENT SSL cipher is any of at request time and then add the HTTP Host is

       

      Shouldn't this work?

       

      br

       

      teemu

       

  • You can do by enabling renegotiation with the SSL Profiles and swapping but this is not a recommended solution.

     

    First the security issues, second all connections would go through multiple SSL connections so slowing things down.

     

    Recommend configuring multiple Virtual Severs with different SSL Profiles. Simple, more secure and easy to manage than a complex set of iRules.