f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
Published
20 hours ago •
F5Networks
F5Networks
AS3 unable to deploy new Cipher_Groups alongside new Cipher_Rules on BIP-IP v13 devices
Environment
- Application Services Version: 3.38
- BIG-IP Version: 13.1.3.6
Summary
Unable to deploy json payload with both cipher groups and cipher rules onto a v13 device that doesn't have these groups and rules already built. Can deploy this json payload fine onto a v15 device.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/3.34.0/as3-schema.json",
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.34.0",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"csg-old-default-serverssl-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "HIGH"
}
],
"excludeCipherRules": [
{
"use": "ADH"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-old-dev-cxp-router-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "HIGH"
},
{
"use": "AES"
}
],
"excludeCipherRules": [
{
"use": "ADH"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-old-default-clientssl-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "HIGH"
},
{
"use": "AES"
},
{
"use": "threeDES"
}
],
"excludeCipherRules": [
{
"use": "ADH"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-old-rabbitmq-pmgout-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "HIGH"
},
{
"use": "AES"
},
{
"use": "threeDES"
}
],
"excludeCipherRules": [
{
"use": "ADH"
},
{
"use": "SSLv3"
},
{
"use": "DTLSv1"
},
{
"use": "TLSv1"
},
{
"use": "TLSv1_1"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-old-chase-outrouter-serverssl-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "HIGH"
}
],
"excludeCipherRules": [
{
"use": "ADH"
},
{
"use": "SSLv3"
},
{
"use": "DTLSv1"
},
{
"use": "TLSv1"
},
{
"use": "TLSv1_1"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-old-srysrv-default-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "DEFAULT"
}
],
"excludeCipherRules": [
{
"use": "RC4"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-secure-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "TLSv1_2"
}
],
"excludeCipherRules": [
{
"use": "CBC"
},
{
"use": "DES"
},
{
"use": "RC4"
},
{
"use": "threeDES"
},
{
"use": "ADH"
}
],
"requireCipherRules": [],
"order": "default"
},
"csg-strong-secure-ciphers": {
"class": "Cipher_Group",
"allowCipherRules": [
{
"use": "TLSv1_2"
}
],
"excludeCipherRules": [
{
"use": "CBC"
},
{
"use": "DES"
},
{
"use": "RC4"
},
{
"use": "threeDES"
},
{
"use": "ADH"
},
{
"use": "secure-but-weak"
}
],
"requireCipherRules": [],
"order": "default"
},
"CBC": {
"class": "Cipher_Rule",
"cipherSuites": [
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-SHA256",
"DHE-RSA-CAMELLIA256-SHA",
"ECDHE-RSA-DES-CBC3-SHA",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"AES128-SHA256",
"AES256-SHA256",
"CAMELLIA256-SHA",
"AES256-GCM-SHA384",
"ECDHE-RSA-AES128-CBC-SHA",
"ECDHE-RSA-AES256-CBC-SHA"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"secure-but-weak": {
"class": "Cipher_Rule",
"cipherSuites": [
"AES128-GCM-SHA256",
"AES128-SHA",
"AES256-SHA",
"CAMELLIA128-SHA",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-ECDSA-AES256-SHA384",
"DHE-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA",
"DHE-RSA-CAMELLIA128-SHA",
"DHE-DSS-AES128-SHA",
"DHE-DSS-AES256-SHA",
"DHE-DSS-AES256-SHA256",
"DHE-DSS-CAMELLIA128-SHA",
"DHE-DSS-CAMELLIA256-SHA"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"AES": {
"class": "Cipher_Rule",
"cipherSuites": [
"AES"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"ADH": {
"class": "Cipher_Rule",
"cipherSuites": [
"ADH"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"DEFAULT": {
"class": "Cipher_Rule",
"cipherSuites": [
"DEFAULT"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"DES": {
"class": "Cipher_Rule",
"cipherSuites": [
"DES"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"DTLSv1": {
"class": "Cipher_Rule",
"cipherSuites": [
"DTLSv1"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"HIGH": {
"class": "Cipher_Rule",
"cipherSuites": [
"HIGH"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"RC4": {
"class": "Cipher_Rule",
"cipherSuites": [
"RC4"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"SSLv3": {
"class": "Cipher_Rule",
"cipherSuites": [
"SSLv3"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"threeDES": {
"class": "Cipher_Rule",
"cipherSuites": [
"3DES"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"TLSv1_1": {
"class": "Cipher_Rule",
"cipherSuites": [
"TLSv1_1"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"TLSv1_2": {
"class": "Cipher_Rule",
"cipherSuites": [
"TLSv1_2"
],
"namedGroups": [],
"signatureAlgorithms": []
},
"TLSv1": {
"class": "Cipher_Rule",
"cipherSuites": [
"TLSv1"
],
"namedGroups": [],
"signatureAlgorithms": []
}
}
}
}
}
- Observe the following error response:
{"results":[{"code":422,"message":"declaration failed","response":"01071b84:3: Cipher group (/Common/Shared/csg-old-default-serverssl-ciphers): the allow list cannot be empty.","host":"localhost","tenant":"Common","runTime":4163},{"code":422,"message":"declaration failed","response":"01071b84:3: Cipher group (/Common/Shared/csg-old-default-serverssl-ciphers): the allow list cannot be empty.","host":"localhost","tenant":"Common","runTime":4285}],"declaration":{"Common":{"class":"Tenant","Shared":{"class":"Application","template":"shared","csg-old-default-serverssl-ciphers":{"class":"Cipher_Group","allowCipherRules":[{"use":"HIGH"}],"excludeCipherRules":[{"use":"ADH"}],"requireCipherRules":[],"order":"default"},"CBC":{"class":"Cipher_Rule","cipherSuites":["DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","DHE-RSA-CAMELLIA256-SHA","ECDHE-RSA-DES-CBC3-SHA","ECDHE-RSA-AES128-SHA256","ECDHE-RSA-AES256-SHA384","AES128-SHA256","AES256-SHA256","CAMELLIA256-SHA","AES256-GCM-SHA384","ECDHE-RSA-AES128-CBC-SHA","ECDHE-RSA-AES256-CBC-SHA"],"namedGroups":[],"signatureAlgorithms":[]},"secure-but-weak":{"class":"Cipher_Rule","cipherSuites":["AES128-GCM-SHA256","AES128-SHA","AES256-SHA","CAMELLIA128-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-ECDSA-AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-ECDSA-AES256-SHA384","DHE-RSA-AES128-SHA","DHE-RSA-AES256-SHA","DHE-RSA-CAMELLIA128-SHA","DHE-DSS-AES128-SHA","DHE-DSS-AES256-SHA","DHE-DSS-AES256-SHA256","DHE-DSS-CAMELLIA128-SHA","DHE-DSS-CAMELLIA256-SHA"],"namedGroups":[],"signatureAlgorithms":[]},"AES":{"class":"Cipher_Rule","cipherSuites":["AES"],"namedGroups":[],"signatureAlgorithms":[]},"ADH":{"class":"Cipher_Rule","cipherSuites":["ADH"],"namedGroups":[],"signatureAlgorithms":[]},"DEFAULT":{"class":"Cipher_Rule","cipherSuites":["DEFAULT"],"namedGroups":[],"signatureAlgorithms":[]},"DES":{"class":"Cipher_Rule","cipherSuites":["DES"],"namedGroups":[],"signatureAlgorithms":[]},"DTLSv1":{"class":"Cipher_Rule","cipherSuites":["DTLSv1"],"namedGroups":[],"signatureAlgorithms":[]},"HIGH":{"class":"Cipher_Rule","cipherSuites":["HIGH"],"namedGroups":[],"signatureAlgorithms":[]},"RC4":{"class":"Cipher_Rule","cipherSuites":["RC4"],"namedGroups":[],"signatureAlgorithms":[]},"SSLv3":{"class":"Cipher_Rule","cipherSuites":["SSLv3"],"namedGroups":[],"signatureAlgorithms":[]},"threeDES":{"class":"Cipher_Rule","cipherSuites":["3DES"],"namedGroups":[],"signatureAlgorithms":[]},"TLSv1_1":{"class":"Cipher_Rule","cipherSuites":["TLSv1_1"],"namedGroups":[],"signatureAlgorithms":[]},"TLSv1_2":{"class":"Cipher_Rule","cipherSuites":["TLSv1_2"],"namedGroups":[],"signatureAlgorithms":[]},"TLSv1":{"class":"Cipher_Rule","cipherSuites":["TLSv1"],"namedGroups":[],"signatureAlgorithms":[]}}},"class":"ADC","schemaVersion":"3.34.0","id":"autogen_4a8b2bd9-b655-48d9-9141-59177b00a6de","updateMode":"selective","controls":{"archiveTimestamp":"2022-10-13T15:08:30.210Z"}},"code":422}
Expected Behavior
I expect that the cipher groups and cipher rules would deploy on v13 just like they do on v15.
Actual Behavior
JSON payload doesn't deploy cipher rules or groups onto the device, saying that you cannot deploy an empty cipher group onto the device. Here's a log of whats going on with v13 vs. v15 provided by our SE.
Logging_From_appsvcs_update.cli.txt
