Check a Virtual Server's SSL Status

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description

A question was asked on how you filter which virtuals might have clientside/serverside profiles, or ssl without profiles as passthrough. There is nothing in the virtual object that can tell you that unless you know your naming schema and known ssl ports. But if you know all the profiles that exist, and check which are applied to your virtuals, you can discern that information. This tmsh script attempts to make sense of those details.

How to use this Code Snippet

Merge the cli script into the BIG-IP configuration, then usage is:

tmsh run cli script vip_ssl_check.tcl

Results are printed like so:

 

[root@ltm3:Active:Standalone] config # tmsh run cli script testtype.tcl

Virtual: ext_nerdknobs.tech_80
	Client-side encrypted: false
	Server-side encrypted: false
	Inspection possible: true

Virtual: ext_nerdknobs.tech_443
	Client-side encrypted: true
	Server-side encrypted: true
	Inspection possible: true

Virtual: h2test
	Client-side encrypted: true
	Server-side encrypted: false
	Inspection possible: true

Virtual: viptest1
	Client-side encrypted: false
	Server-side encrypted: true
	Inspection possible: true
	
Virtual: virtual_name3
	Client-side encrypted: true
	Server-side encrypted: true
	Inspection possible: false

 

Future work could be to fold this logic into the config search tool for specific virtuals/ports, etc.

Code Snippet Meta Information

  1. Version: 0.1
  2. Coding Language: Tcl 8.4

Full Code Snippet

vip_ssl_check.tcl (Gist on GitHub)

Updated Sep 16, 2022
Version 2.0
devops

Was this article helpful?

4 Comments

Sort By
  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Sep 18, 2022

    The above version cannot check the SSL issued by AS3 because it is configured under /Partition/Folder
    The rough test of the following code can detect the configuration below AS3 Folder

    proc script::run {} {
    # Build a list of Client SSL Profiles
    foreach partition_config [tmsh::get_config /auth partition] {
        # set partition "[lindex [split $all_partitions " "] 2]"
        set partition "[tmsh::get_name ${partition_config}]"
        lappend partition_list $partition
        tmsh::cd /$partition
        foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
            lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
            # some partition virtual use Common partition clientside-ssl, 
            # list current partition config ltm virtual ssl profile name format is /Common/xxx
            # so we need to add partition name to ssl profile name, 
            # prevent lsearch -exact $::cssl_profiles $profile_name failed
            lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
        }
        
        # Build a list of Server SSL Profiles
        foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
            lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
            lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
        }
        foreach partition_folder_config [tmsh::get_config /sys folder] {
            set partition_folder_name [tmsh::get_name $partition_folder_config]
            tmsh::cd /${partition}/${partition_folder_name}
            foreach folder_cssl_profile [tmsh::get_config /ltm profile client-ssl] {
                # lappend ::cssl_profiles "[tmsh::get_name $folder_cssl_profile]"
                lappend ::cssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $folder_cssl_profile]"
            }
            foreach folder_sssl_profile [tmsh::get_config /ltm profile server-ssl] {
                # lappend ::sssl_profiles "[tmsh::get_name $folder_sssl_profile]"
                lappend ::sssl_profiles "/${partition}/${partition_folder_name}/[tmsh::get_name $sssl_profile]"
            }
        }
    }
    foreach partition_name ${partition_list} {
        puts "Partition: $partition_name"
        tmsh::cd /${partition_name}
        # Iterate through Virtual Servers
        
        foreach virtual [tmsh::get_config /ltm virtual] {
            set vip_name [tmsh::get_name $virtual]
            foreach profile [tmsh::get_field_value $virtual profiles] {
                # prevent some partition use the same name ssl profile name in other partition 
                # cause lsearch -exact $::cssl_profiles $profile_name incorrect result
                if { [string first "/" [tmsh::get_name $profile]] == 0 } {
                    set profile_name [tmsh::get_name $profile]
                } else {
                    set profile_name "/${partition_name}/[tmsh::get_name $profile]"
                }
                if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
                    set cssl_match 1
                }
                if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
                    set sssl_match 1
                }
            }
            if { [info exists cssl_match] && [info exists sssl_match] } {
                # Client-side & Server-side profiles
                print_ssl_details $vip_name true true true
                unset cssl_match
                unset sssl_match
            } elseif { [info exists cssl_match] } {
                # Client-side profile only
                print_ssl_details $vip_name true false true
                unset cssl_match
            } elseif { [info exists sssl_match] } {
                # Server-side profile only
                print_ssl_details $vip_name false true true
                unset sssl_match
            } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
                # No profiles, but port 443, likely passthrough
                print_ssl_details $vip_name true true false
            } else {
                # No profiles or known SSL ports, likely unencrypted
                print_ssl_details $vip_name false false true
            }
        }
        foreach partition_folder_config [tmsh::get_config /sys folder] {
            set current_partition_folder_name [tmsh::get_name $partition_folder_config]
            puts "Partition Folder: /${partition_name}/${current_partition_folder_name}"
            tmsh::cd /${partition_name}/${current_partition_folder_name}
            foreach folder_virtual [tmsh::get_config /ltm virtual] {
                set folder_vip_name [tmsh::get_name $folder_virtual]
                foreach folder_profile [tmsh::get_field_value $folder_virtual profiles] {
                    if { [string first "/" [tmsh::get_name $folder_profile]] == 0 } {
                        set folder_profile_name [tmsh::get_name $folder_profile]
                    } else {
                        set folder_profile_name "/${partition_name}/${current_partition_folder_name}/[tmsh::get_name $folder_profile]"
                    }
                    if { [lsearch -exact $::cssl_profiles $folder_profile_name] != -1 } {
                        set cssl_match 1
                    }
                    if { [lsearch -exact $::sssl_profiles $folder_profile_name] != -1 } {
                        set sssl_match 1
                    }
                }
                if { [info exists cssl_match] && [info exists sssl_match] } {
                    # Client-side & Server-side profiles
                    print_ssl_details $folder_vip_name true true true
                    unset cssl_match
                    unset sssl_match
                } elseif { [info exists cssl_match] } {
                    # Client-side profile only
                    print_ssl_details $folder_vip_name true false true
                    unset cssl_match
                } elseif { [info exists sssl_match] } {
                    # Server-side profile only
                    print_ssl_details $folder_vip_name false true true
                    unset sssl_match
                } elseif { [lindex [split [tmsh::get_field_value $folder_virtual destination] ":"] 1] eq "https" } {
                    # No profiles, but port 443, likely passthrough
                    print_ssl_details $folder_vip_name true true false
                } else {
                    # No profiles or known SSL ports, likely unencrypted
                    print_ssl_details $folder_vip_name false false true
                }
            }
        }
        puts "-----------------------------------------------"
    }     
}

     

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Sep 17, 2022

    It seems that check only work on the configuration of the Common partition. I added a few lines of code to script::run to detect the configuration of all partitions.

    i want to know where is the cli script filestore? i cat bigip.conf not find cli script

     

    proc script::run {} {
    # Build a list of Client SSL Profiles
    foreach partition_config [tmsh::get_config /auth partition] {
        # set partition "[lindex [split $all_partitions " "] 2]"
        set partition "[tmsh::get_name ${partition_config}]"
        lappend partition_list $partition
        foreach cssl_profile [tmsh::get_config /ltm profile client-ssl] {
            lappend ::cssl_profiles "[tmsh::get_name $cssl_profile]"
            # some partion virtual use Common partition clientside-ssl, 
            # list current partition config ltm virtual ssl profile name format is /Common/xxx
            # so we need to add partion name to ssl profile name, 
            # prevent lsearch -exact $::cssl_profiles $profile_name failed
            lappend ::cssl_profiles "/${partition}/[tmsh::get_name $cssl_profile]"
        }
        # Build a list of Server SSL Profiles
        foreach sssl_profile [tmsh::get_config /ltm profile server-ssl] {
            lappend ::sssl_profiles "[tmsh::get_name $sssl_profile]"
            lappend ::sssl_profiles "/${partition}/[tmsh::get_name $sssl_profile]"
        }
    }
    foreach partition_name ${partition_list} {
        puts "Partition: $partition_name"
        tmsh::cd /${partition_name}
        # Iterate through Virtual Servers
        foreach virtual [tmsh::get_config /ltm virtual] {
            set vip_name [tmsh::get_name $virtual]
            foreach profile [tmsh::get_field_value $virtual profiles] {
                # prevent some partition use the same name ssl profile name in other partition 
                # cause lsearch -exact $::cssl_profiles $profile_name incorrect result
                if { [string first "/" [tmsh::get_name $profile]] == 0 } {
                    set profile_name [tmsh::get_name $profile]
                } else {
                    set profile_name "/${partition_name}/[tmsh::get_name $profile]"
                }
                if { [lsearch -exact $::cssl_profiles $profile_name] != -1 } {
                    set cssl_match 1
                }
                if { [lsearch -exact $::sssl_profiles $profile_name] != -1 } {
                    set sssl_match 1
                }
            }
            if { [info exists cssl_match] && [info exists sssl_match] } {
                # Client-side & Server-side profiles
                print_ssl_details $vip_name true true true
                unset cssl_match
                unset sssl_match
            } elseif { [info exists cssl_match] } {
                # Client-side profile only
                print_ssl_details $vip_name true false true
                unset cssl_match
            } elseif { [info exists sssl_match] } {
                # Server-side profile only
                print_ssl_details $vip_name false true true
                unset sssl_match
            } elseif { [lindex [split [tmsh::get_field_value $virtual destination] ":"] 1] eq "https" } {
                # No profiles, but port 443, likely passthrough
                print_ssl_details $vip_name true true false
            } else {
                # No profiles or known SSL ports, likely unencrypted
                print_ssl_details $vip_name false false true
            }
        }
        puts "-----------------------------------------------"     
    }  
}

     

     

     

     

     

     

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 19, 2022

    oh...and cli scripts are in the /config/bigip_script.conf file.