Closed alonsocamaro closed 4 months ago
alonsocamaro
commented
8 months ago As a side note, when not using defaultTLS to avoid this issue and one of the Routes misses the embedded certificate, then it gets applied to one of the certificates of one of the other Routes. I believe the right behaviour would be to do not Admit the Route without certificates.
trinaths
commented
8 months ago Created [CONTCNTR-4550] for internal tracking.
trinaths
commented
4 months ago There is a limitation from AS3 which doesn't allow bigIP reference and certificates to be defined as a combination for any specific TLS profile (server/client).
Title
RFE: Improve SSL/TLS handling using embedded (spec) certificates and SSL/TLS profiles
Description
Note: this is a customer found issue while testing Next Gen Routes
At present, when using embedded certs, if a single Route misses to include the certificate in it, this causes that all Route´s certificates get replaced their embedded certificate with the defaultTLS certificate, breaking the configuration.
At present, it is also not possible to mix annotations and embedded (spec) certs in the same router group.
Actual Problem
This behaviour can cause a general outage by a Route affecting the configuration of other Routes.
Solution Proposed
Request the required functionality to AS3 and implement defaultTLS in a per Route basis.
In addition to avoid this issue, this AS3 functionality would allow to also mix annotated certificates and embedded certificates.
Overall, with this AS3 functionality it would allow CIS to impose less restrictions to customers, and the current non trivial SSL profiles precedence would be very clear