Can't use "requireSNI" property #871
Comments
GWilczek
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
GWilczek
added
bug
Environment
Summary
The requirement is to configure multiple SNI profiles, while default one has set "requireSNI": true. This is needed for a use case where traffic that doesn't match to SNI (server name non exist or not match) is rejected:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#tls-server
Steps To Reproduce
Steps to reproduce the behavior:
{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json", "class": "AS3", "action": "deploy", "declaration": { "class": "ADC", "schemaVersion": "3.40.0", "controls": { "class": "Controls", "trace": true, "logLevel": "debug", "traceResponse": true }, "sni_tenant": { "class": "Tenant", "sni_app": { "class": "Application", "template": "https", "serviceMain": { "class": "Service_HTTPS", "profileHTTP": {"bigip": "/Common/http"}, "profileTCP": {"bigip": "/Common/tcp"}, "virtualAddresses": ["192.168.5.116"], "virtualPort": 18443, "redirect80": false, "maxConnections": 0, "mirroring": "none", "shareAddresses": true, "pool": "pool_1", "serverTLS": "client_ssl_profile", "clientTLS": {"bigip": "/Common/serverssl"}, "snat": "auto" }, "client_ssl_profile": { "class": "TLS_Server", "certificates": [ { "matchToSNI": "", "certificate": "snidefault" }, { "matchToSNI": "https1.example.com", "certificate": "sni1" }, { "matchToSNI": "https2.example.com", "certificate": "sni2" } ], "ciphers": "DEFAULT", "requireSNI": true }, "snidefault": { "class": "Certificate", "certificate": { "bigip": "/Common/lab" }, "privateKey": { "bigip": "/Common/lab" }, "chainCA": { "bigip": "/Common/ca-bundle.crt" } }, "sni1": { "class": "Certificate", "certificate": { "bigip": "/Common/lab" }, "privateKey": { "bigip": "/Common/lab" }, "chainCA": { "bigip": "/Common/ca-bundle.crt" } }, "sni2": { "class": "Certificate", "certificate": { "bigip": "/Common/lab" }, "privateKey": { "bigip": "/Common/lab" }, "chainCA": { "bigip": "/Common/ca-bundle.crt" } }, "pool_1": { "class": "Pool", "loadBalancingMode": "least-connections-member", "serviceDownAction": "reset", "slowRampTime": 0, "monitors": [ { "bigip": "/Common/https" } ], "members": [ { "servicePort": 8080, "serverAddresses": ["192.168.123.1", "192.168.123.2"], "shareNodes": true } ] } } } } }{ "code": 422, "message": "declaration failed", "response": "0107150a:3: SNI require is enabled on clientssl/serverssl profile /sni_tenant/sni_app/client_ssl_profile-1- yet SNI default is not enabled.", "host": "localhost", "tenant": "sni_tenant", "runTime": 1774, "declarationId": "autogen_fc229ddb-7361-4789-8bb6-cf2e89273730" }This works in TMSH if
"requireSNI": false:Expected Behavior
Allow default SNI profile set to require SNI, currently
"requireSNI"seems to be propagated to all profiles automatically created based on"certificates": []list which is incorrect behavior.Actual Behavior
Declaration returns error, it works in TMSH/GUI but not using AS3
The text was updated successfully, but these errors were encountered: