search

f5devcentral / vscode-f5

Let the F5 VSCode extension supercharge your workflows with schema validation, rest client, fast templates, and so much more!!!
https://f5devcentral.github.io/vscode-f5/#/
Apache License 2.0
59 stars 14 forks source link

[RFE] Config Explorer doesn't include cipher groups with the applications #213

Open f5-rahm opened 1 year ago

f5-rahm commented 1 year ago

I was working with existing legacy config to create an AS3 version of it for some tmsh scripting work. I thought ACC was missing it, but in config explorer, the client-ssl profile reference to a cipher-group doesn't result in the cipher group and associated cipher rules appearing in the explorer view, so ACC doesn't have those objects to convert.

Source config:

ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}

Resulting ACC generated AS3 declaration:

                "cssl.TestSuite": {
                    "certificates": [
                        {
                            "certificate": "certificate_default"
                        }
                    ],
                    "class": "TLS_Server",
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": true,
                    "tls1_2Enabled": true,
                    "tls1_3Enabled": true,
                    "singleUseDhEnabled": false,
                    "insertEmptyFragmentsEnabled": false
                },

If I add the cipher group and cipher rule to that source config:

ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}
ltm cipher group /Common/cg_TLSv1.3 {
    allow {
        /Common/cr_TLSv1.3 { }
    }
}
ltm cipher rule /Common/cr_TLSv1.3 {
    cipher TLSv1_3
    dh-groups DEFAULT
    signature-algorithms DEFAULT
}

Then ACC coverts it as expected:

                "cssl.TestSuite": {
                    "certificates": [
                        {
                            "certificate": "certificate_default"
                        }
                    ],
                    "cipherGroup": {
                        "use": "/Common/Shared/cg_TLSv1.3"
                    },
                    "class": "TLS_Server",
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": true,
                    "tls1_2Enabled": true,
                    "tls1_3Enabled": true,
                    "singleUseDhEnabled": false,
                    "insertEmptyFragmentsEnabled": false
                },
                "cg_TLSv1.3": {
                    "allowCipherRules": [
                        {
                            "use": "/Common/Shared/cr_TLSv1.3"
                        }
                    ],
                    "class": "Cipher_Group"
                },
                "cr_TLSv1.3": {
                    "cipherSuites": [
                        "TLSv1_3"
                    ],
                    "namedGroups": [
                        "DEFAULT"
                    ],
                    "signatureAlgorithms": [
                        "DEFAULT"
                    ],
                    "class": "Cipher_Rule"
                }
DumpySquare commented 1 year ago

@f5-rahm , can you provide a more complicated cipher group example or a couple of them? This is going to get a couple layers deep, so I figure I will just work through all the cases while we are at it.