Skip to content

Commit

Permalink
[AUTOTOOL-3606] Expose sni-default option for TLS profiles.
Browse files Browse the repository at this point in the history
  • Loading branch information
@f5-alex-zaets
f5-alex-zaets committed Feb 21, 2023
1 parent ae79d1e commit 8af4e6c
Show file tree
Hide file tree
Showing 9 changed files with 120 additions and 16 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Changes to this project are documented in this file. More detail (including info
### Fixed
- AUTOTOOL-3331: Service with partial mask and custom route domain fails to POST twice
- AUTOTOOL-3521: ([GitHub Issue 660](https://github.com/F5Networks/f5-appsvcs-extension/issues/660)): Address_Discovery static node type does not work
- AUTOTOOL-3606: ([GitHub Issue 274](https://github.com/F5Networks/f5-appsvcs-extension/issues/274)): expose TLS_Server option to enable/disable "default profile for SNI"

### Changed

Expand Down
3 changes: 2 additions & 1 deletion examples/declarations/example-multiple-ssl-tls-certs-in-one-profile.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
"certificate": "webcert1"
},
{
"certificate": "webcert2"
"certificate": "webcert2",
"sniDefault": true
}]
},
"webcert1": {
Expand Down
2 changes: 1 addition & 1 deletion src/lib/map_as3.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1349,7 +1349,7 @@ const translate = {
genCert(tlsItem, obj.certificate, 'SERVER');
genCert(tlsItem, obj.proxyCertificate, 'CA');

tlsItem['sni-default'] = index === 0;
tlsItem.sniDefault = obj.sniDefault;
tlsItem.matchToSNI = obj.matchToSNI || 'none';
tlsItem.mode = obj.enabled;

Expand Down
4 changes: 3 additions & 1 deletion src/lib/properties.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -624,7 +624,7 @@
{ "id":"renegotiation", "altId": "renegotiationEnabled", "truth": "enabled", "falsehood": "disabled" },
{ "id":"retain-certificate", "altId": "retainCertificateEnabled", "truth": "true", "falsehood": "false" },
{ "id":"secure-renegotiation" },
{ "id":"sni-default", "truth": "true", "falsehood": "false" },
{ "id":"sni-default", "altId": "sniDefault", "truth": "true", "falsehood": "false" },
{ "id":"sni-require", "altId": "requireSNI", "truth": "true", "falsehood": "false" },
{ "id":"server-name", "altId": "matchToSNI"},
{ "id":"ssl-c3d", "altId": "c3dEnabled", "truth": "enabled", "falsehood": "disabled" },
Expand Down Expand Up @@ -711,6 +711,8 @@
{ "id":"secure-renegotiation" },
{ "id":"server-name", "altId": "sendSNI" },
{ "id":"session-ticket", "truth": "enabled", "falsehood": "disabled", "altId": "sessionTickets" },
{ "id":"sni-default", "altId": "sniDefault", "truth": "true", "falsehood": "false" },
{ "id":"sni-require", "altId": "requireSNI", "truth": "true", "falsehood": "false" },
{ "id":"ssl-c3d", "altId": "c3dEnabled", "truth": "enabled", "falsehood": "disabled" },
{ "id":"ssl-forward-proxy", "altId": "forwardProxyEnabled", "truth": "enabled", "falsehood": "disabled" },
{ "id":"ssl-forward-proxy-bypass", "altId": "forwardProxyBypassEnabled", "truth": "enabled", "falsehood": "disabled" },
Expand Down
18 changes: 18 additions & 0 deletions src/schema/latest/core-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5421,6 +5421,12 @@
"description": "If value is FQDN (wildcard okay), ignore all names in certificate and select this cert when SNI matches value (or by default)",
"type": "string"
},
"sniDefault": {
"title": "Default SNI",
"description": "When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false",
"type": "boolean",
"default": false
},
"enabled": {
"title": "Enabled",
"description": "Enables SSL processing",
Expand Down Expand Up @@ -5892,6 +5898,18 @@
"format": "hostname",
"default": "none"
},
"sniDefault": {
"title": "Default SNI",
"description": "When true, this profile is the default SSL profile when a client connection does not specify a known server name, or does not specify any server name at all. The default value is false",
"type": "boolean",
"default": false
},
"requireSNI": {
"title": "Require SNI",
"description": "When a client sends no or unknown SNI and Require SNI is false (default), the system uses the primary certificate, otherwise the system rejects the client",
"type": "boolean",
"default": false
},
"alertTimeout": {
"title": "Alert Timeout",
"description": "Specifies the duration of time, in seconds, for the system to try to close an SSL connection before resetting the connection. The default is 'indefinite'. You can also specify 'immediate', or an integer.",
Expand Down
10 changes: 10 additions & 0 deletions test/integration/bigip/property/propertiesTlsClient.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,16 @@ describe('TLS_Client', function () {
expectedValue: ['none', '1.1.1.10', 'none'],
extractFunction: (o) => o.serverName || 'none'
},
{
name: 'requireSNI',
inputValue: [undefined, true, undefined],
expectedValue: ['false', 'true', 'false']
},
{
name: 'sniDefault',
inputValue: [undefined, true, undefined],
expectedValue: ['false', 'true', 'false']
},
{
name: 'alertTimeout',
inputValue: [undefined, 86400, undefined],
Expand Down
31 changes: 21 additions & 10 deletions test/integration/bigip/property/propertiesTlsServer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,16 +120,23 @@ describe('TLS_Server', function () {
{
name: 'certificates',
inputValue: [
[{ certificate: 'tlsservercert' }],
[{ certificate: 'tlsservercert', sniDefault: true }],
[{ certificate: 'tlsservercert' }]
],
expectedValue: [
`/TEST_${testName}/Application/tlsservercert.crt`
[`/TEST_${testName}/Application/tlsservercert.crt`, 'false'],
[`/TEST_${testName}/Application/tlsservercert.crt`, 'true'],
[`/TEST_${testName}/Application/tlsservercert.crt`, 'false']
],
referenceObjects: {
tlsservercert: tlsServerRef,
theStapler: staplerRef
},
extractFunction: (o) => o.certKeyChain[0].cert
extractFunction: (o) => [
o.certKeyChain[0].cert,
o.sniDefault
]
},

// Tested
Expand All @@ -141,8 +148,8 @@ describe('TLS_Server', function () {
},
{
name: 'requireSNI',
inputValue: [undefined, true, true, undefined],
expectedValue: ['false', 'true', 'true', 'false']
inputValue: [undefined, true, undefined],
expectedValue: ['false', 'true', 'false']
},
{
name: 'alertTimeout',
Expand Down Expand Up @@ -375,7 +382,8 @@ describe('TLS_Server', function () {
inputValue: [[
{
enabled: false,
certificate: 'webcert1'
certificate: 'webcert1',
sniDefault: true
},
{
matchToSNI: 'www.wheeee.com',
Expand Down Expand Up @@ -731,14 +739,16 @@ describe('TLS_Server', function () {
{
enabled: undefined,
matchToSNI: 'www.wheeee.com',
certificate: 'webcert2'
certificate: 'webcert2',
sniDefault: true
}
],
[
{
enabled: false,
certificate: 'webcert1',
proxyCertificate: 'proxyCert'
proxyCertificate: 'proxyCert',
sniDefault: true
},
{
enabled: false,
Expand All @@ -750,7 +760,8 @@ describe('TLS_Server', function () {
[
{
enabled: undefined,
certificate: 'webcert1'
certificate: 'webcert1',
sniDefault: true
},
{
enabled: undefined,
Expand All @@ -776,7 +787,7 @@ describe('TLS_Server', function () {
],
mode: 'enabled',
serverName: 'none',
sniDefault: 'true'
sniDefault: 'false'
},
{
name: `${getItemName({ tenantName: `TEST_${testName}` })}-1-`,
Expand All @@ -793,7 +804,7 @@ describe('TLS_Server', function () {
],
mode: 'enabled',
serverName: 'www.wheeee.com',
sniDefault: 'false'
sniDefault: 'true'
}
],
[
Expand Down
7 changes: 4 additions & 3 deletions test/unit/lib/map_as3.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7536,7 +7536,8 @@ describe('map_as3', () => {
{
matchToSNI: 'www.somehost.com',
enabled: false,
certificate: '/tenantId/appId/webcert1'
certificate: '/tenantId/appId/webcert1',
sniDefault: true
},
{
enabled: true,
Expand Down Expand Up @@ -7593,7 +7594,7 @@ describe('map_as3', () => {
}
);
assert.deepEqual(profile2.properties['server-name'], 'none');
assert.deepEqual(profile2.properties['sni-default'], 'false');
assert.deepEqual(profile2.properties['sni-default'], undefined);
assert.deepEqual(profile2.properties.mode, 'enabled');

const profile3 = results.configs.find((r) => r.path === '/tenantId/appId/tlsServer-2-');
Expand All @@ -7610,7 +7611,7 @@ describe('map_as3', () => {
}
);
assert.deepEqual(profile3.properties['server-name'], 'none');
assert.deepEqual(profile3.properties['sni-default'], 'false');
assert.deepEqual(profile3.properties['sni-default'], undefined);
assert.deepEqual(profile3.properties.mode, 'enabled');
});

Expand Down
60 changes: 60 additions & 0 deletions test/unit/schema/core-schema.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1301,6 +1301,26 @@ describe('core-schema.json', () => {
};
assert.ok(validate(data), getErrorString(validate));
});

it('should validate when sniDefault is provided', () => {
const data = {
class: 'ADC',
schemaVersion: '3.0.0',
id: 'declarationId',
theTenant: {
class: 'Tenant',
application: {
class: 'Application',
template: 'generic',
tlsserver: {
class: 'TLS_Server',
certificates: [{ certificate: 'webcert', sniDefault: true }]
}
}
}
};
assert.ok(validate(data), getErrorString(validate));
});
});

describe('TLS_Client', () => {
Expand Down Expand Up @@ -1624,6 +1644,46 @@ describe('core-schema.json', () => {
};
assert.ok(validate(data), getErrorString(validate));
});

it('should validate when sniDefault is provided', () => {
const data = {
class: 'ADC',
schemaVersion: '3.0.0',
id: 'declarationId',
theTenant: {
class: 'Tenant',
application: {
class: 'Application',
template: 'generic',
tlsserver: {
class: 'TLS_Client',
sniDefault: true
}
}
}
};
assert.ok(validate(data), getErrorString(validate));
});

it('should validate when requireSNI is provided', () => {
const data = {
class: 'ADC',
schemaVersion: '3.0.0',
id: 'declarationId',
theTenant: {
class: 'Tenant',
application: {
class: 'Application',
template: 'generic',
tlsserver: {
class: 'TLS_Client',
requireSNI: true
}
}
}
};
assert.ok(validate(data), getErrorString(validate));
});
});
});

Expand Down

0 comments on commit 8af4e6c

Please sign in to comment.