Just want clarification from F5 admins out there.
We have a pair of Big IP LTM Model 3400 appliance in HA pair running version BIG-IP 10.2.4 Build 864.0 Hotfix HF11 . We have many dozens of production VIPS and we just need to disable RC4 globally. Luckily, all the SSL client profiles in all the VIPS have the default "clientssl"as their parent profile.
The "clientssl" profile has the current cipher list of DEFAULT:!SSLv3. So looks like I have to add do not user RC4 so the cipher list now looks like DEFAULT:!SSLv3:!RC4
Question: Once I do this, do all the dependent SSL profiles automatically start "inheriting" this new cipher list from the parent clientssl? i.e. No need to restart, disable/enable or anything like that?
Also, what exactly happens once the !RC4 is added to the cipherlist? Do all browsers connecting to the VIP start negotiating as normal, but not to try RC4? Would there be any potential impacts to any old browsers? Any outages I should be aware of?
There are many links on F5 describing cipher lists, but not specifically addressing what happens once the change kicks in.
Thanks and regards.