Check a Virtual Server's SSL Status
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.
Short Description
A question was asked on how you filter which virtuals might have clientside/serversid...
Updated Sep 16, 2022
Version 2.0
JRahm
Admin
Admin
xuwen
Cumulonimbus
CumulonimbusIt seems that check only work on the configuration of the Common partition. I added a few lines of code to script::run to detect the configuration of all partitions.
i want to know where is the cli script filestore? i cat bigip.conf not find cli script
proc script::run {} {
# Build a list of Client SSL Profiles
foreach partition_config [tmsh::get_config /auth partition] {
# set partition "[lindex [split $all_partitions " "] 2]"
set partition "[tmsh::get_name ${partition_config}]"
lappend partition_list $partition
foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
# some partion virtual use Common partition clientside-ssl,
# list current partition config ltm virtual ssl profile name format is /Common/xxx
# so we need to add partion name to ssl profile name,
# prevent lsearch -exact $::cssl_profiles $profile_name failed
lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
}
# Build a list of Server SSL Profiles
foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
}
}
foreach partition_name ${partition_list} {
puts "Partition: $partition_name"
tmsh::cd /${partition_name}
# Iterate through Virtual Servers
foreach virtual [tmsh::get_config /ltm virtual] {
set vip_name [tmsh::get_name $virtual]
foreach profile [tmsh::get_field_value $virtual profiles] {
# prevent some partition use the same name ssl profile name in other partition
# cause lsearch -exact $::cssl_profiles $profile_name incorrect result
if { [string first "/" [tmsh::get_name $profile]] == 0 } {
set profile_name [tmsh::get_name $profile]
} else {
set profile_name "/${partition_name}/[tmsh::get_name $profile]"
}
if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $vip_name false false true
}
}
puts "-----------------------------------------------"
}
}