For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bitnoc's avatar
bitnoc
Icon for Nimbostratus rankNimbostratus
May 19, 2020

Enabling OCSP stapling via f5-sdk fails

I want to enable OCSP stapling for a lot of clientSSL profiles, so I thought if'd use the f5-sdk python library. However, my tests so far fail miserably, even without trying to change the actual setting. Here's what I tested:


#! /usr/bin/env python3
from f5.bigip import ManagementRoot
mgmt = ManagementRoot("hostname", "username", "password")
profile = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(partition="Common", name="myprofile")
print(profile.ocspStapling)
profile.update()

This print the current ocpStapling value ('disabled'), but updating the unchanged profile fails:

 

$ python3 ocsp-test2.py
disabled
Traceback (most recent call last):
 File "ocsp-test2.py", line 15, in <module>
   profile.update()
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 617, in update
   self._update(**kwargs)
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/f5/bigip/resource.py", line 580, in _update
   response = session.put(update_uri, json=data_dict, **requests_params)
 File "/Users/teun/Library/Python/3.7/lib/python/site-packages/icontrol/session.py", line 295, in wrapper
   raise iControlUnexpectedHTTPError(error_message, response=response)
icontrol.exceptions.iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/
Text: '{"code":400,"message":"\\"{ dont-insert-empty-fragments no-tlsv1.1 single-dh-use no-sslv3 no-tlsv1 }\\" unexpected argument","errorStack":[],"apiError":26214401}'

 

I didn't change any settings of the profile, so why would it fail to update? As a test, I removed these SSL options., but that doesn't help either. The error message changes of course, but updating an unchanged profile still fails:


icontrol.exceptions.iControlUnexpected
HTTPError: 400 Unexpected Error: Bad Request for uri: https://hostname:443/mgmt/tm/ltm/profile/client-ssl/~Common~myprofile/
Text: '{"code":400,"message":"01b4002a:3: Client SSL profile (/Common/myprofile):cert-key-chain and profile cert/key/chain/passphrase options cannot be specified together.","errorStack":[],"apiError":3}'

 

I really fail to see what's wrong here and what I need to do to get this to work. Any other suggestions on configuring OCSP stapling via python are welcome too.

BIG-IP
devops
f5-sdk
LTM
ocsp
python
No RepliesBe the first to reply