Forum Discussion
AltostratusSSLO Policy Condition - Server Certificate (Issuer DN)
What I'm trying to achieve:
Bypass a session if the Server Issuer DN = <trusted-DN>.
What I have tried:
Policy condition of Server Certificate (Issuer DN) and using data group substring match with DN in a string
e.g. : C=xx, ST=xx <omitted> CN=<trusted-DN>, <omitted>
The APM logs - its executing an expression (perflow.ssl.server_cert.issuer) contains "/Common/<DATAGROUP>" and the return value is 'Failed'
I know the DN is correct (pasted from another of the APM logs), but the policy is not matching against the DG.
On another note - I cant put a DN or CN / string into the policy condition as a 'static value' the entry needs to be in SNI format - which leads me to believe that this is not truly looking at the server certificate?
What am I missing, is this even possible?
Kevin_Stewart sorry to tag- but perhaps one for you?
Many thanks
6 Replies
kurokiI think I have found the issue, it appears to be a bug in the SSLO policy UI.
If I create a rule with a match condition 'Server Certificate (Issuer DN)' and select a data group the resulting expression in the VPE is:
expr {[mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}
This results in a lookup failure (i.e. no match).
If I change the expression to:
expr {[class match [mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}
Then the expression matches and the rule executes the action.
My DG is a string with the CN=<cn-to-match> in vlaue and data fields.. perhaps this is why? Documentation on VPE variables and DG construct is a bit thin- Injeyan_Kostas
Nacreous
Hi kuroki
class match is needed when you need to search against a Data Group
The gui supports basic cases so indeed when you need more avdanced ones you should write custom expressions
- kuroki
Indeed - however 'data group' is an option in the GUI - but the resulting expression does not contain 'class match' - hence the need to modify via VPE..
- Kevin_Stewart
Employee
Thank you for catching this. A bug has been filed.
- kuroki
Hi Kevin. Thanks for raising a bug. Still waiting on my support acct. to be sorted.
So my next problem is the change I make in the VPE is overwritten if a change is redeployed from the UI - I do not tick the 'overwrite' box when asked if I want to keep OOB changes or overwrite..
Is there another way to ensure changes persist after a UI deploy? The UI seems to do an atomic replace, even a VLAN change overwrites my custom access rule!
BIG-IP v17.5
