For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kuroki's avatar
kuroki
Icon for Altostratus rankAltostratus
Sep 05, 2025

SSLO Policy Condition - Server Certificate (Issuer DN)

What I'm trying to achieve:

Bypass a session if the Server Issuer DN = <trusted-DN>.

What I have tried:

Policy condition of Server Certificate (Issuer DN) and using data group substring match with DN in a string 

e.g. : C=xx, ST=xx <omitted> CN=<trusted-DN>, <omitted>

The APM logs - its executing an expression (perflow.ssl.server_cert.issuer) contains "/Common/<DATAGROUP>" and the return value is 'Failed'

I know the DN is correct (pasted from another of the APM logs), but the policy is not matching against the DG.

On another note - I cant put a DN or CN / string into the policy condition as a 'static value' the entry needs to be in SNI format - which leads me to believe that this is not truly looking at the server certificate?

What am I missing, is this even possible?

Kevin_Stewart​ sorry to tag- but perhaps one for you?

Many thanks

security
SSLo Forward Proxy

6 Replies

  • kuroki's avatar
    kuroki
    Icon for Altostratus rankAltostratus
    Sep 08, 2025

    I think I have found the issue, it appears to be a bug in the SSLO policy UI.

    If I create a rule with a match condition 'Server Certificate (Issuer DN)' and select a data group the resulting expression in the VPE is:

    expr {[mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}

    This results in a lookup failure (i.e. no match).

    If I change the expression to:

    expr {[class match [mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}


    Then the expression matches and the rule executes the action.

    My DG is a string with the CN=<cn-to-match> in vlaue and data fields.. perhaps this is why? Documentation on VPE variables and DG construct is a bit thin 

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Sep 08, 2025

      Hi kuroki​

      class match is needed when you need to search against a Data Group

      The gui supports basic cases so indeed when you need more avdanced ones you should write custom expressions

      • kuroki's avatar
        kuroki
        Icon for Altostratus rankAltostratus
        Sep 08, 2025

        Indeed - however 'data group' is an option in the GUI - but the resulting expression does not contain 'class match' - hence the need to modify via VPE..

    • kuroki's avatar
      kuroki
      Icon for Altostratus rankAltostratus
      Sep 09, 2025

      Hi Kevin. Thanks for raising a bug. Still waiting on my support acct. to be sorted.

      So my next problem is the change I make in the VPE is overwritten if a change is redeployed from the UI - I do not tick the 'overwrite' box when asked if I want to keep OOB changes or overwrite..

      Is there another way to ensure changes persist after a UI deploy? The UI seems to do an atomic replace, even a VLAN change overwrites my custom access rule!

      BIG-IP v17.5

      • Melissa_C's avatar
        Melissa_C
        Icon for Moderator rankModerator
        Sep 09, 2025

        Hello kuroki​

        If you are having issues with getting your support account sorted out send me a direct message with what is occurring and I can help get that taken care of for you. 

        -Melissa