search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
169 stars 54 forks source link

AS3 declarations can become incorrect and fail to function after an upgrade if a feature was deprecated #748

Closed nwehrman closed 1 year ago

nwehrman commented 1 year ago

Environment

Summary

In this scenario SSLv2 was deprecated in v14+. So if you upgrade from v13.x to 14.x+ then run a GET to the /declare endpoint to pull the declaration it will contain whatever was posted in v13 even if those objects are no longer configured on the device or valid. I'm using SSLv2 as an example but it's not uncommon for features to become deprecated on upgrade and AS3 should clean things up so that the declaration matches the device configuration.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration on version 13.X

    {
"class": "AS3",
"action": "deploy",
"persist": true,
"trace": true,
"traceResponse": true,
"id": "InitialDeclare",
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"label": "AS3 Declaration",
"id": "autogen_56af37fe-ca5e-483c-abab-02778266044d",
"Common": {
"class": "Tenant",
"Shared": {
  "class": "Application",
  "template": "shared",
  "NEW_CIPHER_RULE": {
    "class": "Cipher_Rule",
    "cipherSuites": [
      "!TLSv1_1",
      "!TLSv1_2",
      "ECDHE-RSA-AES256-GCM-SHA384",
      "!ADH",
      "!LOW",
      "!DES",
      "!SSlv2",
      "!MD5",
      "!EXP",
      "!DH"
    ],
    "label": "Desjardins N3 Server Cipher Rule"
  }
}
}
}

  2. Run tmsh save sys config

  3. Upgrade the device to 14.X or newer

  4. Run GET to /declare endpoint

  5. Observe that !SSLv2 still exists

  6. However, !SSLv2 will NOT exist within the configuration or bigip.conf file

  7. Attempts to POST this configuration again will fail because SSLv2 isn't valid in v14.X or newer ( ID 811333 cleans it up because it was removed)

Expected Behavior

AS3 declarations should function on the version they were requested from. Upgrading the configuration on the device shouldn't invalidate declarations without correcting them.

Actual Behavior

Attempts to re-use the declaration attained from the device will fail.

nwehrman commented 1 year ago

Something to note: We do update declarations already. In this same example after upgrading to a newer version when you run a GET to pull down the declaration it adds "tsl1_3Enabled": false (default on newer versions that support it). However, we don't seem to remove the deprecated feature of SSLv2.

sunitharonan commented 1 year ago

Thanks @nwehrman, in order to prioritize and understand the issue better, please reach out to us at automation_toolchain_pm@f5.com

sunitharonan commented 1 year ago

We think it is not do-able at this moment and closing it. Sent more information to the customer.