Check a Virtual Server's SSL Status
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.
Short Description
A question was asked on how you filter which virtuals might have clientside/serversid...
Updated Sep 16, 2022
Version 2.0
JRahm
Admin
Admin
xuwen
Cumulonimbus
CumulonimbusThe above version cannot check the SSL issued by AS3 because it is configured under /Partition/Folder
The rough test of the following code can detect the configuration below AS3 Folder
proc script::run {} {
# Build a list of Client SSL Profiles
foreach partition_config [tmsh::get_config /auth partition] {
# set partition "[lindex [split $all_partitions " "] 2]"
set partition "[tmsh::get_name ${partition_config}]"
lappend partition_list $partition
tmsh::cd /$partition
foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
# some partition virtual use Common partition clientside-ssl,
# list current partition config ltm virtual ssl profile name format is /Common/xxx
# so we need to add partition name to ssl profile name,
# prevent lsearch -exact $::cssl_profiles $profile_name failed
lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
}
# Build a list of Server SSL Profiles
foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
}
foreach partition_folder_config [tmsh::get_config /sys folder] {
set partition_folder_name [tmsh::get_name $partition_folder_config]
tmsh::cd /${partition}/${partition_folder_name}
foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] {
# lappend ::cssl_profiles "[tmsh::get_name $folder_cssl_profile]"
lappend ::cssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]"
}
foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] {
# lappend ::sssl_profiles "[tmsh::get_name $folder_sssl_profile]"
lappend ::sssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]"
}
}
}
foreach partition_name ${partition_list} {
puts "Partition: $partition_name"
tmsh::cd /${partition_name}
# Iterate through Virtual Servers
foreach virtual [tmsh::get_config /ltm virtual] {
set vip_name [tmsh::get_name $virtual]
foreach profile [tmsh::get_field_value $virtual profiles] {
# prevent some partition use the same name ssl profile name in other partition
# cause lsearch -exact $::cssl_profiles $profile_name incorrect result
if { [string first "/" [tmsh::get_name $profile]] == 0 } {
set profile_name [tmsh::get_name $profile]
} else {
set profile_name "/${partition_name}/[tmsh::get_name $profile]"
}
if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $vip_name false false true
}
}
foreach partition_folder_config [tmsh::get_config /sys folder] {
set current_partition_folder_name [tmsh::get_name $partition_folder_config]
puts "Partition Folder: /${partition_name}/${current_partition_folder_name}"
tmsh::cd /${partition_name}/${current_partition_folder_name}
foreach folder_virtual [tmsh::get_config /ltm virtual] {
set folder_vip_name [tmsh::get_name $folder_virtual]
foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] {
if { [string first "/" [tmsh::get_name $folder_profile]] == 0 } {
set folder_profile_name [tmsh::get_name $folder_profile]
} else {
set folder_profile_name "/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]"
}
if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } {
set cssl_match 1
}
if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } {
set sssl_match 1
}
}
if { [info exists cssl_match] && [info exists sssl_match] } {
# Client-side & Server-side profiles
print_ssl_details $folder_vip_name true true true
unset cssl_match
unset sssl_match
} elseif { [info exists cssl_match] } {
# Client-side profile only
print_ssl_details $folder_vip_name true false true
unset cssl_match
} elseif { [info exists sssl_match] } {
# Server-side profile only
print_ssl_details $folder_vip_name false true true
unset sssl_match
} elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] ":"] 1] eq "https" } {
# No profiles, but port 443, likely passthrough
print_ssl_details $folder_vip_name true true false
} else {
# No profiles or known SSL ports, likely unencrypted
print_ssl_details $folder_vip_name false false true
}
}
}
puts "-----------------------------------------------"
}
}