f5-automation-config-converter icon indicating copy to clipboard operation
f5-automation-config-converter copied to clipboard
verified publisher icon f5devcentral

Cipher group is not created if it shares the same name as the referenced cipher rule

Open f5-rahm opened this issue 2 years ago • 0 comments

Environment

  • ACC Version: 1.19.2
  • AS3 Version: 3.45.0
  • BIG-IP Version: 15.1.8.1

Summary

Cipher-group is not converted from config to AS3 if the cipher group and referenced cipher rule share the same name.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}
ltm cipher group /Common/TLSv1.3 {
    allow {
        /Common/TLSv1.3 { }
    }
}
ltm cipher rule /Common/TLSv1.3 {
    cipher TLSv1_3
    dh-groups DEFAULT
    signature-algorithms DEFAULT
}
  1. Observe the resulting incorrect as3 declaration:
                    "certificates": [
                        {
                            "certificate": "certificate_default"
                        }
                    ],
                    "cipherGroup": {
                        "use": "/Common/Shared/TLSv1.3"
                    },
                    "class": "TLS_Server",
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": true,
                    "tls1_2Enabled": true,
                    "tls1_3Enabled": true,
                    "singleUseDhEnabled": false,
                    "insertEmptyFragmentsEnabled": false
                },
                "TLSv1.3": {
                    "cipherSuites": [
                        "TLSv1_3"
                    ],
                    "namedGroups": [
                        "DEFAULT"
                    ],
                    "signatureAlgorithms": [
                        "DEFAULT"
                    ],
                    "class": "Cipher_Rule"
                }

Expected Behavior

The class type of Cipher_Group should also be created. But it isn't. However, if I change the names of the cipher group and rule to be unique, it works fine as shown below.


ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}
ltm cipher group /Common/cg_TLSv1.3 {
    allow {
        /Common/cr_TLSv1.3 { }
    }
}
ltm cipher rule /Common/cr_TLSv1.3 {
    cipher TLSv1_3
    dh-groups DEFAULT
    signature-algorithms DEFAULT
}

### RESULTING AS3 ###

"cssl.TestSuite": {
    "certificates": [
        {
            "certificate": "certificate_default"
        }
    ],
    "cipherGroup": {
        "use": "/Common/Shared/cg_TLSv1.3"
    },
    "class": "TLS_Server",
    "tls1_0Enabled": true,
    "tls1_1Enabled": true,
    "tls1_2Enabled": true,
    "tls1_3Enabled": true,
    "singleUseDhEnabled": false,
    "insertEmptyFragmentsEnabled": false
},
"cg_TLSv1.3": {
    "allowCipherRules": [
        {
            "use": "/Common/Shared/cr_TLSv1.3"
        }
    ],
    "class": "Cipher_Group"
},
"cr_TLSv1.3": {
    "cipherSuites": [
        "TLSv1_3"
    ],
    "namedGroups": [
        "DEFAULT"
    ],
    "signatureAlgorithms": [
        "DEFAULT"
    ],
    "class": "Cipher_Rule"
}```

f5-rahm avatar May 25 '23 18:05 f5-rahm