f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

Serverssl/trustCA/use: contains path to non-existent object none #64

Closed rjouhann closed 3 years ago

rjouhann commented 3 years ago

Environment

Summary

When I try to convert the following server-ssl profile to AS3 using ACC and deploy that AS3 declaration to a BIG-IP, I am getting the following error message:

Deployment stage 'Deploy AS3 declaration' failed with the exception: iControl REST error: code: 422, message: declaration is invalid, errors: ['/demo_t1/application_1/serverssl/trustCA/use: contains path to non-existent object none']

After manually removing ca-file none from the source big-ip.conf, things work fine.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:

    ltm profile server-ssl /demo_t1/application_1/serverssl {
    alert-timeout 10
    app-service none
    authenticate once
    authenticate-depth 9
    authenticate-name none
    bypass-on-client-cert-fail disabled
    bypass-on-handshake-alert disabled
    c3d-ca-cert none
    c3d-ca-key none
    c3d-cert-extension-custom-oids none
    c3d-cert-extension-includes { basic-constraints extended-key-usage key-usage subject-alternative-name }
    c3d-cert-lifespan 24
    ca-file none
    cache-size 262144
    cache-timeout 3600
    cert none
    chain none
    cipher-group none
    ciphers ECDHE+AES:ECDHE+3DES:RSA+3DES:!NONE:!SSLv3:!MD5:!EXPORT:!RC4
    crl-file none
    generic-alert enabled
    handshake-timeout 10
    key none
    max-active-handshakes indefinite
    mod-ssl-methods disabled
    mode enabled
    ocsp none
    options { dont-insert-empty-fragments }
    passphrase none
    peer-cert-mode ignore
    proxy-ssl disabled
    proxy-ssl-passthrough disabled
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation disabled
    retain-certificate true
    secure-renegotiation require-strict
    server-name none
    session-mirroring disabled
    session-ticket disabled
    sni-default false
    sni-require false
    ssl-c3d disabled
    ssl-forward-proxy disabled
    ssl-forward-proxy-bypass disabled
    ssl-sign-hash any
    strict-resume disabled
    unclean-shutdown enabled
    }
  2. ACC convert this serverssl profile as:

    "serverssl": {
    "alertTimeout": 10,
    "trustCA": {
        "use": "none"
    },
    "ciphers": "ECDHE+AES:ECDHE+3DES:RSA+3DES:!NONE:!SSLv3:!MD5:!EXPORT:!RC4",
    "renegotiationEnabled": false,
    "class": "TLS_Client"
    }
  3. Observe the following error message when deploying the declaration to BIG-IP

    Error: code: 422, message: declaration is invalid, errors: ['/demo_t1/application_1/serverssl/trustCA/use: contains path to non-existent object none']

Expected Behavior

ACC should not produce a AS3 declaration with "use": "none".

Actual Behavior

ACC produces an AS3 declaration that cannot be deployed on the BIG-IP.

mdditt2000 commented 3 years ago

CHARON-493 Jira created! remove TLS_Client.trustCA if value is "none"

mdditt2000 commented 3 years ago

Issue solved CHARON-493 - Merged