search

erjac77 / ansible-module-f5bigip

Ansible module for F5 BIG-IP
Apache License 2.0
6 stars 3 forks source link

Unable to create client-ssl profile with multiple options #140

Closed roskens closed 6 years ago

roskens commented 6 years ago

Can't create a client-ssl profile with multiple options.

- name: "Create TLS standard clientssl profile"
  f5bigip_ltm_profile_client_ssl:
      f5_hostname: "{{ environment[0].F5_SERVER }}"
      f5_port: "{{ environment[0].F5_SERVER_PORT }}"
      f5_username: "{{ environment[0].F5_USER }}"
      f5_password: "{{ environment[0].F5_PASSWORD }}"

      defaults_from: "/Common/clientssl"
      name: "clientssl-tls-standard"
      partition: "{{ partition }}"
      ciphers: "NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv2:!SSLv3:@SPEED"
      options:
        - dont_insert_empty_fragments
        - single_dh_use
        - no_sslv2
        - no_sslv3
        - no_tlsv1
        - no_tlsv1_1

This gives an error:

TASK [Create TLS standard clientssl profile] ****************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "value of options must be one of: all_bugfixes,cipher_server_preference,dont_insert_empty_fragments,ephemeral_rsa,microsoft_big_sslv3_buffer,microsoft_sess_id_bug,msie_sslv2_rsa_padding,netscape_ca_dn_bug,netscape_challenge_bug,netscape_demo_cipher_change_bug,netscape_reuse_cipher_change_bug,no_session_resumption_on_renegotiation,no_ssl,no_sslv2,no_sslv3,no_tls,no_tlsv1,no_tlsv1_1,no_tlsv1_2,no_dtls,passive_close, none, pkcs1_check_1,pkcs1_check_2, single_dh_use,ssleay_080_client_dh_bug,sslref2_reuse_cert_type_bug,tls_d5_bug,tls_rollback_bug, got: ['dont_insert_empty_fragments', 'single_dh_use', 'no_sslv2', 'no_sslv3', 'no_tlsv1', 'no_tlsv1_1']"}
erjac77 commented 6 years ago

OK, I'll look into it.

Can you tell me the version of your BIG-IP please?

Thanks for reporting.

erjac77 commented 6 years ago

@roskens I've just pushed a fix. Can you give it a try and let me know if it works as expected?

Take note that the options parameter is now named 'tm_options'. Also, the options should contain dashes, not underscores.

- name: "Create TLS standard clientssl profile"
  f5bigip_ltm_profile_client_ssl:
    f5_hostname: "{{ environment[0].F5_SERVER }}"
    f5_port: "{{ environment[0].F5_SERVER_PORT }}"
    f5_username: "{{ environment[0].F5_USER }}"
    f5_password: "{{ environment[0].F5_PASSWORD }}"
    defaults_from: "/Common/clientssl"
    name: "clientssl-tls-standard"
    partition: "{{ partition }}"
    ciphers: "NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv2:!SSLv3:@SPEED"
    tm_options:
      - dont-insert-empty-fragments
      - single-dh-use
      - no-sslv2
      - no-sslv3
      - no-tlsv1
      - no-tlsv1-1
roskens commented 6 years ago

Thanks! Its working.

The last one is no-tlsv1.1 too.

erjac77 commented 6 years ago

Ok, I'll change the documentation.

Thanks again for reporting.