For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kuroki's avatar
kuroki
Icon for Altostratus rankAltostratus
Sep 05, 2025

SSLO Policy Condition - Server Certificate (Issuer DN)

What I'm trying to achieve: Bypass a session if the Server Issuer DN = <trusted-DN>. What I have tried: Policy condition of Server Certificate (Issuer DN) and using data group substring matc...
security
SSLo Forward Proxy
kuroki's avatar
kuroki
Icon for Altostratus rankAltostratus
Sep 08, 2025

I think I have found the issue, it appears to be a bug in the SSLO policy UI.

If I create a rule with a match condition 'Server Certificate (Issuer DN)' and select a data group the resulting expression in the VPE is:

expr {[mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}

This results in a lookup failure (i.e. no match).

If I change the expression to:

expr {[class match [mcget {perflow.ssl.server_cert.issuer}] contains "/Common/TEST_DG"}


Then the expression matches and the rule executes the action.

My DG is a string with the CN=<cn-to-match> in vlaue and data fields.. perhaps this is why? Documentation on VPE variables and DG construct is a bit thin 

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Sep 08, 2025

Hi kuroki​

class match is needed when you need to search against a Data Group

The gui supports basic cases so indeed when you need more avdanced ones you should write custom expressions

  • kuroki's avatar
    kuroki
    Icon for Altostratus rankAltostratus
    Sep 08, 2025

    Indeed - however 'data group' is an option in the GUI - but the resulting expression does not contain 'class match' - hence the need to modify via VPE..