f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
AS3 is ignoring SNIdefault flag
Environment
- Application Services Version: 3.54.0
- BIG-IP Version: 17.1.2.1
Summary
AS3 ignores the flag when set to "sniDefault": false and marks everything as "sniDefault": true. which then fails to deploy because AS3 assumes all are the default DNS. However, if you put it all in one SSL profile, things deploy. But you end up with multiple SSL profiles with the same name with appending -1,-2,-3, etc.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
~~~~snip~~~~
"cert2.kyle.com-cert": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/cert2.kyle.com.crt"
},
"chainCA": {
"bigip": "/Common/cert2.kyle.com.crt"
},
"privateKey": {
"bigip": "/Common/cert2.kyle.com.key"
}
},
"cert2.kyle.com-SNI_clientssl": {
"certificates": [
{
"certificate": "cert2.kyle.com-cert",
"matchToSNI": "cert2.kyle.com",
"sniDefault": false
}
],
"requireSNI": false,
"ciphers": "ECDHE+AES-GCM:ECDHE+AES",
"class": "TLS_Server",
"tls1_0Enabled": false,
"tls1_1Enabled": false,
"tls1_2Enabled": true,
"tls1_3Enabled": false,
"dtls1_2Enabled": false,
"dtlsEnabled": false,
"ssl3Enabled": false,
"sslEnabled": false,
"singleUseDhEnabled": false,
"insertEmptyFragmentsEnabled": false
},
"cert1.kyle.com-cert": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/cert1.kyle.com.crt"
},
"chainCA": {
"bigip": "/Common/cert1.kyle.com.crt"
},
"privateKey": {
"bigip": "/Common/cert1.kyle.com.key"
}
},
"cert1.kyle.com-SNI_clientssl": {
"alertTimeout": "indefinite",
"cacheTimeout": 3600,
"certificates": [
{
"certificate": "cert1.kyle.com-cert",
"matchToSNI": "cert1.kyle.com",
"sniDefault": false
}
],
"ciphers": "ECDHE+AES-GCM:ECDHE+AES",
"staplerOCSPEnabled": false,
"renegotiationEnabled": true,
"requireSNI": false,
"class": "TLS_Server",
"tls1_0Enabled": false,
"tls1_1Enabled": false,
"tls1_2Enabled": true,
"tls1_3Enabled": false,
"dtls1_2Enabled": false,
"dtlsEnabled": false,
"ssl3Enabled": false,
"sslEnabled": false,
"singleUseDhEnabled": false,
"insertEmptyFragmentsEnabled": false
}
- Observe the following error response:
{
"id": "328d855f-8adb-4b80-ac33-74f0f36b2ca8",
"results": [
{
"code": 422,
"message": "declaration failed",
"response": "01071809:3: Virtual Server /iam_login.kyle.com-datacenter/Shared/iam_login.kyle.com_443_vs has more than one clientssl/serverssl profile that is default for SNI.",
"host": "localhost",
"tenant": "iam_login.kyle.com-datacenter",
"runTime": 811,
"declarationId": "urn:uuid:bc659468-c2ec-4970-8a41-eed5d17814fc"
}
],
"declaration": {
"class": "ADC",
"schemaVersion": "3.54.0",
"id": "urn:uuid:bc659468-c2ec-4970-8a41-eed5d17814fc",
"controls": {
"class": "Controls",
"userAgent": "vscode-f5/3.17.0",
"archiveTimestamp": "2025-03-16T18:41:44.950Z"
},
"updateMode": "selective"
},
"selfLink": "https://localhost/mgmt/shared/appsvcs/task/328d855f-8adb-4b80-ac33-74f0f36b2ca8"
}
Expected Behavior
The expected behavior is that all are pushed through with their own SSL Profie and that the defaultSNI flag is acknowledged instead of ignored.
Actual Behavior
what happens is that the flag gets ignored and AS3 thinks all of the SSL profiles are default SNI instead of the one set to true. The declaration will push out if you put all the certs into 1 SSL Profile, but then you end up with the same label for all of them with appending of -1, -2, -3, etc. That makes it difficult if you are reviewing items on which SSL profile is for which FQDN
