search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

Serverssl/trustCA/use: contains path to non-existent object none #64

Closed rjouhann closed 3 years ago

rjouhann commented 3 years ago

Environment

Summary

When I try to convert the following server-ssl profile to AS3 using ACC and deploy that AS3 declaration to a BIG-IP, I am getting the following error message:

Deployment stage 'Deploy AS3 declaration' failed with the exception: iControl REST error: code: 422, message: declaration is invalid, errors: ['/demo_t1/application_1/serverssl/trustCA/use: contains path to non-existent object none']

After manually removing ca-file none from the source big-ip.conf, things work fine.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:

    ltm profile server-ssl /demo_t1/application_1/serverssl {
alert-timeout 10
app-service none
authenticate once
authenticate-depth 9
authenticate-name none
bypass-on-client-cert-fail disabled
bypass-on-handshake-alert disabled
c3d-ca-cert none
c3d-ca-key none
c3d-cert-extension-custom-oids none
c3d-cert-extension-includes { basic-constraints extended-key-usage key-usage subject-alternative-name }
c3d-cert-lifespan 24
ca-file none
cache-size 262144
cache-timeout 3600
cert none
chain none
cipher-group none
ciphers ECDHE+AES:ECDHE+3DES:RSA+3DES:!NONE:!SSLv3:!MD5:!EXPORT:!RC4
crl-file none
generic-alert enabled
handshake-timeout 10
key none
max-active-handshakes indefinite
mod-ssl-methods disabled
mode enabled
ocsp none
options { dont-insert-empty-fragments }
passphrase none
peer-cert-mode ignore
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation disabled
retain-certificate true
secure-renegotiation require-strict
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-c3d disabled
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}

  2. ACC convert this serverssl profile as:

    "serverssl": {
"alertTimeout": 10,
"trustCA": {
    "use": "none"
},
"ciphers": "ECDHE+AES:ECDHE+3DES:RSA+3DES:!NONE:!SSLv3:!MD5:!EXPORT:!RC4",
"renegotiationEnabled": false,
"class": "TLS_Client"
}

  3. Observe the following error message when deploying the declaration to BIG-IP

    Error: code: 422, message: declaration is invalid, errors: ['/demo_t1/application_1/serverssl/trustCA/use: contains path to non-existent object none']

Expected Behavior

ACC should not produce a AS3 declaration with "use": "none".

Actual Behavior

ACC produces an AS3 declaration that cannot be deployed on the BIG-IP.

mdditt2000 commented 3 years ago

CHARON-493 Jira created! remove TLS_Client.trustCA if value is "none"

mdditt2000 commented 3 years ago

Issue solved CHARON-493 - Merged