Check a Virtual Server's SSL Status

[root@ltm3:Active:Standalone] config # tmsh run cli script testtype.tcl Virtual: ext_nerdknobs.tech_80 Client-side encrypted: false Server-side encrypted: false Inspection possible: true Virtual: ext_nerdknobs.tech_443 Client-side encrypted: true Server-side encrypted: true Inspection possible: true Virtual: h2test Client-side encrypted: true Server-side encrypted: false Inspection possible: true Virtual: viptest1 Client-side encrypted: false Server-side encrypted: true Inspection possible: true Virtual: virtual_name3 Client-side encrypted: true Server-side encrypted: true Inspection possible: false

4 Comments

xuwen

Cumulonimbus

Sep 17, 2022

It seems that check only work on the configuration of the Common partition. I added a few lines of code to script::run to detect the configuration of all partitions.

i want to know where is the cli script filestore? i cat bigip.conf not find cli script

proc script::run {} {
    # Build a list of Client SSL Profiles
    foreach partition_config [tmsh::get_config /auth partition] {
        # set partition "[lindex [split $all_partitions " "] 2]"
        set partition "[tmsh::get_name ${partition_config}]"
        lappend partition_list $partition
        foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
            lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
            # some partion virtual use Common partition clientside-ssl, 
            # list current partition config ltm virtual ssl profile name format is /Common/xxx
            # so we need to add partion name to ssl profile name, 
            # prevent lsearch -exact $::cssl_profiles $profile_name failed
            lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
        }
        # Build a list of Server SSL Profiles
        foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
            lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
            lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
        }
    }
    foreach partition_name ${partition_list} {
        puts "Partition: $partition_name"
        tmsh::cd /${partition_name}
        # Iterate through Virtual Servers
        foreach virtual [tmsh::get_config /ltm virtual] {
            set vip_name [tmsh::get_name $virtual]
            foreach profile [tmsh::get_field_value $virtual profiles] {
                # prevent some partition use the same name ssl profile name in other partition 
                # cause lsearch -exact $::cssl_profiles $profile_name incorrect result
                if { [string first "/" [tmsh::get_name $profile]] == 0 } {
                    set profile_name [tmsh::get_name $profile]
                } else {
                    set profile_name "/${partition_name}/[tmsh::get_name $profile]"
                }
                if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
                    set cssl_match 1
                }
                if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
                    set sssl_match 1
                }
            }
            if { [info exists cssl_match] && [info exists sssl_match] } {
                # Client-side & Server-side profiles
                print_ssl_details $vip_name true true true
                unset cssl_match
                unset sssl_match
            } elseif { [info exists cssl_match] } {
                # Client-side profile only
                print_ssl_details $vip_name true false true
                unset cssl_match
            } elseif { [info exists sssl_match] } {
                # Server-side profile only
                print_ssl_details $vip_name false true true
                unset sssl_match
            } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
                # No profiles, but port 443, likely passthrough
                print_ssl_details $vip_name true true false
            } else {
                # No profiles or known SSL ports, likely unencrypted
                print_ssl_details $vip_name false false true
            }
        }
        puts "-----------------------------------------------"     
    }  
}

xuwen

Cumulonimbus

Sep 18, 2022

The above version cannot check the SSL issued by AS3 because it is configured under /Partition/Folder
The rough test of the following code can detect the configuration below AS3 Folder

proc script::run {} {
    # Build a list of Client SSL Profiles
    foreach partition_config [tmsh::get_config /auth partition] {
        # set partition "[lindex [split $all_partitions " "] 2]"
        set partition "[tmsh::get_name ${partition_config}]"
        lappend partition_list $partition
        tmsh::cd /$partition
        foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
            lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
            # some partition virtual use Common partition clientside-ssl, 
            # list current partition config ltm virtual ssl profile name format is /Common/xxx
            # so we need to add partition name to ssl profile name, 
            # prevent lsearch -exact $::cssl_profiles $profile_name failed
            lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
        }
        
        # Build a list of Server SSL Profiles
        foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
            lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
            lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
        }
        foreach partition_folder_config [tmsh::get_config /sys folder] {
            set partition_folder_name [tmsh::get_name $partition_folder_config]
            tmsh::cd /${partition}/${partition_folder_name}
            foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] {
                # lappend ::cssl_profiles "[tmsh::get_name $folder_cssl_profile]"
                lappend ::cssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]"
            }
            foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] {
                # lappend ::sssl_profiles "[tmsh::get_name $folder_sssl_profile]"
                lappend ::sssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]"
            }
        }
    }
    foreach partition_name ${partition_list} {
        puts "Partition: $partition_name"
        tmsh::cd /${partition_name}
        # Iterate through Virtual Servers
        
        foreach virtual [tmsh::get_config /ltm virtual] {
            set vip_name [tmsh::get_name $virtual]
            foreach profile [tmsh::get_field_value $virtual profiles] {
                # prevent some partition use the same name ssl profile name in other partition 
                # cause lsearch -exact $::cssl_profiles $profile_name incorrect result
                if { [string first "/" [tmsh::get_name $profile]] == 0 } {
                    set profile_name [tmsh::get_name $profile]
                } else {
                    set profile_name "/${partition_name}/[tmsh::get_name $profile]"
                }
                if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
                    set cssl_match 1
                }
                if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
                    set sssl_match 1
                }
            }
            if { [info exists cssl_match] && [info exists sssl_match] } {
                # Client-side & Server-side profiles
                print_ssl_details $vip_name true true true
                unset cssl_match
                unset sssl_match
            } elseif { [info exists cssl_match] } {
                # Client-side profile only
                print_ssl_details $vip_name true false true
                unset cssl_match
            } elseif { [info exists sssl_match] } {
                # Server-side profile only
                print_ssl_details $vip_name false true true
                unset sssl_match
            } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
                # No profiles, but port 443, likely passthrough
                print_ssl_details $vip_name true true false
            } else {
                # No profiles or known SSL ports, likely unencrypted
                print_ssl_details $vip_name false false true
            }
        }
        foreach partition_folder_config [tmsh::get_config /sys folder] {
            set current_partition_folder_name [tmsh::get_name $partition_folder_config]
            puts "Partition Folder: /${partition_name}/${current_partition_folder_name}"
            tmsh::cd /${partition_name}/${current_partition_folder_name}
            foreach folder_virtual [tmsh::get_config /ltm virtual] {
                set folder_vip_name [tmsh::get_name $folder_virtual]
                foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] {
                    if { [string first "/" [tmsh::get_name $folder_profile]] == 0 } {
                        set folder_profile_name [tmsh::get_name $folder_profile]
                    } else {
                        set folder_profile_name "/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]"
                    }
                    if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } {
                        set cssl_match 1
                    }
                    if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } {
                        set sssl_match 1
                    }
                }
                if { [info exists cssl_match] && [info exists sssl_match] } {
                    # Client-side & Server-side profiles
                    print_ssl_details $folder_vip_name true true true
                    unset cssl_match
                    unset sssl_match
                } elseif { [info exists cssl_match] } {
                    # Client-side profile only
                    print_ssl_details $folder_vip_name true false true
                    unset cssl_match
                } elseif { [info exists sssl_match] } {
                    # Server-side profile only
                    print_ssl_details $folder_vip_name false true true
                    unset sssl_match
                } elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] ":"] 1] eq "https" } {
                    # No profiles, but port 443, likely passthrough
                    print_ssl_details $folder_vip_name true true false
                } else {
                    # No profiles or known SSL ports, likely unencrypted
                    print_ssl_details $folder_vip_name false false true
                }
            }
        }
        puts "-----------------------------------------------"
    }     
}

JRahm
Admin
Sep 19, 2022
nice additions xuwen !
JRahm
Admin
Sep 19, 2022
oh...and cli scripts are in the /config/bigip_script.conf file.

[root@ltm3:Active:Standalone] config # tmsh run cli script testtype.tcl\n\nVirtual: ext_nerdknobs.tech_80\n\tClient-side encrypted: false\n\tServer-side encrypted: false\n\tInspection possible: true\n\nVirtual: ext_nerdknobs.tech_443\n\tClient-side encrypted: true\n\tServer-side encrypted: true\n\tInspection possible: true\n\nVirtual: h2test\n\tClient-side encrypted: true\n\tServer-side encrypted: false\n\tInspection possible: true\n\nVirtual: viptest1\n\tClient-side encrypted: false\n\tServer-side encrypted: true\n\tInspection possible: true\n\t\nVirtual: virtual_name3\n\tClient-side encrypted: true\n\tServer-side encrypted: true\n\tInspection possible: false

proc script::run {} {\n # Build a list of Client SSL Profiles\n foreach partition_config [tmsh::get_config /auth partition] {\n # set partition \"[lindex [split $all_partitions \" \"] 2]\"\n set partition \"[tmsh::get_name ${partition_config}]\"\n lappend partition_list $partition\n tmsh::cd /$partition\n foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {\n lappend ::cssl_profiles \"[tmsh::get_name $cssl_profile]\"\n # some partition virtual use Common partition clientside-ssl, \n # list current partition config ltm virtual ssl profile name format is /Common/xxx\n # so we need to add partition name to ssl profile name, \n # prevent lsearch -exact $::cssl_profiles $profile_name failed\n lappend ::cssl_profiles \"/${partition}/[tmsh::get_name $cssl_profile]\"\n }\n \n # Build a list of Server SSL Profiles\n foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {\n lappend ::sssl_profiles \"[tmsh::get_name $sssl_profile]\"\n lappend ::sssl_profiles \"/${partition}/[tmsh::get_name $sssl_profile]\"\n }\n foreach partition_folder_config [tmsh::get_config /sys folder] {\n set partition_folder_name [tmsh::get_name $partition_folder_config]\n tmsh::cd /${partition}/${partition_folder_name}\n foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] {\n # lappend ::cssl_profiles \"[tmsh::get_name $folder_cssl_profile]\"\n lappend ::cssl_profiles \"/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]\"\n }\n foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] {\n # lappend ::sssl_profiles \"[tmsh::get_name $folder_sssl_profile]\"\n lappend ::sssl_profiles \"/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]\"\n }\n }\n }\n foreach partition_name ${partition_list} {\n puts \"Partition: $partition_name\"\n tmsh::cd /${partition_name}\n # Iterate through Virtual Servers\n \n foreach virtual [tmsh::get_config /ltm virtual] {\n set vip_name [tmsh::get_name $virtual]\n foreach profile [tmsh::get_field_value $virtual profiles] {\n # prevent some partition use the same name ssl profile name in other partition \n # cause lsearch -exact $::cssl_profiles $profile_name incorrect result\n if { [string first \"/\" [tmsh::get_name $profile]] == 0 } {\n set profile_name [tmsh::get_name $profile]\n } else {\n set profile_name \"/${partition_name}/[tmsh::get_name $profile]\"\n }\n if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {\n set cssl_match 1\n }\n if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {\n set sssl_match 1\n }\n }\n if { [info exists cssl_match] && [info exists sssl_match] } {\n # Client-side & Server-side profiles\n print_ssl_details $vip_name true true true\n unset cssl_match\n unset sssl_match\n } elseif { [info exists cssl_match] } {\n # Client-side profile only\n print_ssl_details $vip_name true false true\n unset cssl_match\n } elseif { [info exists sssl_match] } {\n # Server-side profile only\n print_ssl_details $vip_name false true true\n unset sssl_match\n } elseif { [lindex [split [tmsh::get_field_value $virtual destination] \":\"] 1] eq \"https\" } {\n # No profiles, but port 443, likely passthrough\n print_ssl_details $vip_name true true false\n } else {\n # No profiles or known SSL ports, likely unencrypted\n print_ssl_details $vip_name false false true\n }\n }\n foreach partition_folder_config [tmsh::get_config /sys folder] {\n set current_partition_folder_name [tmsh::get_name $partition_folder_config]\n puts \"Partition Folder: /${partition_name}/${current_partition_folder_name}\"\n tmsh::cd /${partition_name}/${current_partition_folder_name}\n foreach folder_virtual [tmsh::get_config /ltm virtual] {\n set folder_vip_name [tmsh::get_name $folder_virtual]\n foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] {\n if { [string first \"/\" [tmsh::get_name $folder_profile]] == 0 } {\n set folder_profile_name [tmsh::get_name $folder_profile]\n } else {\n set folder_profile_name \"/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]\"\n }\n if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } {\n set cssl_match 1\n }\n if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } {\n set sssl_match 1\n }\n }\n if { [info exists cssl_match] && [info exists sssl_match] } {\n # Client-side & Server-side profiles\n print_ssl_details $folder_vip_name true true true\n unset cssl_match\n unset sssl_match\n } elseif { [info exists cssl_match] } {\n # Client-side profile only\n print_ssl_details $folder_vip_name true false true\n unset cssl_match\n } elseif { [info exists sssl_match] } {\n # Server-side profile only\n print_ssl_details $folder_vip_name false true true\n unset sssl_match\n } elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] \":\"] 1] eq \"https\" } {\n # No profiles, but port 443, likely passthrough\n print_ssl_details $folder_vip_name true true false\n } else {\n # No profiles or known SSL ports, likely unencrypted\n print_ssl_details $folder_vip_name false false true\n }\n }\n }\n puts \"-----------------------------------------------\"\n } \n}

Check a Virtual Server's SSL Status

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

How to use this Code Snippet

Code Snippet Meta Information

Full Code Snippet

4 Comments

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

How to use this Code Snippet

Code Snippet Meta Information

Full Code Snippet

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

How to use this Code Snippet

Code Snippet Meta Information

Full Code Snippet