search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 14 forks source link

Cipher group is not created if it shares the same name as the referenced cipher rule #98

Open f5-rahm opened 1 year ago

f5-rahm commented 1 year ago

Environment

Summary

Cipher-group is not converted from config to AS3 if the cipher group and referenced cipher rule share the same name.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:

    app-service none
cert-key-chain {
    default {
        cert /Common/default.crt
        key /Common/default.key
    }
}
cipher-group /Common/TLSv1.3
ciphers none
defaults-from /Common/clientssl
inherit-ca-certkeychain true
inherit-certkeychain true
options { dont-insert-empty-fragments }
}
ltm cipher group /Common/TLSv1.3 {
allow {
    /Common/TLSv1.3 { }
}
}
ltm cipher rule /Common/TLSv1.3 {
cipher TLSv1_3
dh-groups DEFAULT
signature-algorithms DEFAULT
}

  2. Observe the resulting incorrect as3 declaration:

                    "certificates": [
                    {
                        "certificate": "certificate_default"
                    }
                ],
                "cipherGroup": {
                    "use": "/Common/Shared/TLSv1.3"
                },
                "class": "TLS_Server",
                "tls1_0Enabled": true,
                "tls1_1Enabled": true,
                "tls1_2Enabled": true,
                "tls1_3Enabled": true,
                "singleUseDhEnabled": false,
                "insertEmptyFragmentsEnabled": false
            },
            "TLSv1.3": {
                "cipherSuites": [
                    "TLSv1_3"
                ],
                "namedGroups": [
                    "DEFAULT"
                ],
                "signatureAlgorithms": [
                    "DEFAULT"
                ],
                "class": "Cipher_Rule"
            }

Expected Behavior

The class type of Cipher_Group should also be created. But it isn't. However, if I change the names of the cipher group and rule to be unique, it works fine as shown below.



ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}
ltm cipher group /Common/cg_TLSv1.3 {
    allow {
        /Common/cr_TLSv1.3 { }
    }
}
ltm cipher rule /Common/cr_TLSv1.3 {
    cipher TLSv1_3
    dh-groups DEFAULT
    signature-algorithms DEFAULT
}

### RESULTING AS3 ###

"cssl.TestSuite": {
    "certificates": [
        {
            "certificate": "certificate_default"
        }
    ],
    "cipherGroup": {
        "use": "/Common/Shared/cg_TLSv1.3"
    },
    "class": "TLS_Server",
    "tls1_0Enabled": true,
    "tls1_1Enabled": true,
    "tls1_2Enabled": true,
    "tls1_3Enabled": true,
    "singleUseDhEnabled": false,
    "insertEmptyFragmentsEnabled": false
},
"cg_TLSv1.3": {
    "allowCipherRules": [
        {
            "use": "/Common/Shared/cr_TLSv1.3"
        }
    ],
    "class": "Cipher_Group"
},
"cr_TLSv1.3": {
    "cipherSuites": [
        "TLSv1_3"
    ],
    "namedGroups": [
        "DEFAULT"
    ],
    "signatureAlgorithms": [
        "DEFAULT"
    ],
    "class": "Cipher_Rule"
}```