F5Networks
bigip_device_info with gather_subset: client-ssl-profiles does not report client SSL profile "option" details
COMPONENT NAME
bigip_device_info
Environment
ANSIBLE VERSION
$ ansible --version
ansible [core 2.18.6]
config file = None
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/.pyenv/versions/3.13.5/envs/virtualenv-python-3.13.5/lib/python3.13/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/mwadm/.pyenv/versions/virtualenv-python-3.13.5/bin/ansible
python version = 3.13.5 (main, Jul 3 2025, 10:51:45) [GCC 11.5.0 20240719 (Red Hat 11.5.0-5)] (/home/mwadm/.pyenv/versions/3.13.5/envs/virtualenv-python-3.13.5/bin/python)
jinja version = 3.1.6
libyaml = True
BIGIP VERSION
(tmos)# show sys version
Sys::Version
Main Package
Product BIG-IP
Version 17.1.2.2
Build 0.0.12
Edition Point Release 2
Date Wed Apr 2 04:30:11 PDT 2025
CONFIGURATION
N/A
OS / ENVIRONMENT
$ cat /etc/release NAME="Red Hat Enterprise Linux" VERSION="9.5 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.5" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.5 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9" BUG_REPORT_URL="https://issues.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.5 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.5" Red Hat Enterprise Linux release 9.5 (Plow) Red Hat Enterprise Linux release 9.5 (Plow) cpe:/o:redhat:enterprise_linux:9::baseos
SUMMARY
I'm using the bigip_device_info module from the f5networks.f5_modules Ansible collection to gather information about server and client ssl profiles.
The module successfully returns data for client SSL profiles, but it does not include option-level details
However, when I query the same profile directly using iControl REST, the full details do appear including the options information as seen from example below.
Sample command:
curl -sku
Sample options details included: "tmOptions":"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }"
This behavior is inconsistent with what I see for server-ssl-profiles, where the module does return details including the options.
STEPS TO REPRODUCE
Sample playbook below always demonstrates the missing options issue for client ssl profile.
---
- name: F5 Gather profile information
hosts: "{{ variable_host }}"
gather_facts: false
tasks:
- name: Gather F5 facts
bigip_device_info:
gather_subset:
- server-ssl-profiles
- client-ssl-profiles
partition: partition1
provider: "{{ provider }}"
delegate_to: localhost
register: facts_result
- name: Display the gathered facts
debug:
var: facts_result
EXPECTED RESULTS
I'm expecting "options" details be displayed similar to the line below.
"options": "{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }",
ACTUAL RESULTS
The playbook runs fine but it's just missing "options" information for client ssl profile but it does exist for server ssl profile
SAMPLE OUTPUT FRAGMENT for client ssl profile where "options" info is missing.
{
"alert_timeout": 10,
"allow_non_ssl": "no",
"authenticate_depth": 9,
"authenticate_frequency": "once",
"cache_size": 262144,
"cache_timeout": 3600,
"certificate_file": "/partition1/cert_2025",
"chain_file": "/partition1/Chain_2025",
"ciphers": "none",
"description": "none",
"forward_proxy_ca_passphrase": "****",
"forward_proxy_certificate_extension_include": [
"basic-constraints",
"subject-alternative-name"
],
"forward_proxy_certificate_lifespan": 30,
"forward_proxy_enabled": "no",
"forward_proxy_lookup_by_ipaddr_port": "no",
"full_path": "/partition1/sample_clientssl",
"handshake_timeout": 10,
"key_file": "/partition1/cert_2025",
"modssl_methods": "no",
"name": "sample_clientssl",
"parent": "/partition1/parent_clientssl",
"peer_certification_mode": "ignore",
"profile_mode_enabled": "yes",
"renegotiation": "yes",
"renegotiation_maximum_record_delay": 0,
"renegotiation_period": 0,
"retain_certificate": "yes",
"secure_renegotiation_mode": "require",
"session_ticket": "no",
"sni_default": "no",
"sni_require": "no",
"strict_resume": "no",
"unclean_shutdown": "yes"
},
SAMPLE OUTPUT FRAGMENT for server ssl profile where "options" info is present.
{
"alert_timeout": "indefinite",
"allow_expired_crl": "no",
"authenticate_depth": 9,
"authentication_frequency": "once",
"bypass_on_client_cert_fail": "no",
"bypass_on_handshake_alert": "no",
"c3d_cert_extension_includes": [
"basic-constraints",
"extended-key-usage",
"key-usage",
"subject-alternative-name"
],
"c3d_cert_lifespan": 24,
"cache_size": 262144,
"cache_timeout": 3600,
"cert": "none",
"chain": "none",
"cipher_group": "/partition1/TLS12andTLS13",
"ciphers": "none",
"expire_cert_response_control": "drop",
"full_path": "/partition1/sample_serverssl",
"generic_alert": "yes",
"handshake_timeout": "10",
"key": "none",
"max_active_handshakes": "indefinite",
"mod_ssl_methods": "no",
"mode": "yes",
"name": "sample_serverssl",
"options": "{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }",
"parent": "/Common/serverssl",
"peer_cert_mode": "ignore",
"proxy_ssl": "no",
"proxy_ssl_passthrough": "no",
"renegotiate_period": "indefinite",
"renegotiate_size": "indefinite",
"renegotiation": "yes",
"retain_certificate": "yes",
"secure_renegotiation": "require-strict",
"session_mirroring": "no",
"session_ticket": "no",
"sni_default": "no",
"sni_require": "no",
"ssl_c3d": "no",
"ssl_forward_proxy_bypass": "no",
"ssl_forward_proxy_enabled": "no",
"ssl_sign_hash": "any",
"strict_resume": "no",
"unclean_shutdown": "yes",
"untrusted_cert_response_control": "drop"
},
Thank you for reaching out, I have created an internal backlog INFRAANO-2027 to add options for client SSL profile.
Hi, Is there a plan yet to apply the fix so we can finally have a reliable way to compare the client ssl profile configurations before and after a change is made using gathered facts? Thanks.
Hi @aye-git-aye, it is in our backlog and waiting for it to be picked up in sprint. Please reach out to us [email protected] in order for us to understand and prioritize.