adding crl file support

F5Networks · Oct 15, 2024 · 8ad54d7 · 8ad54d7
1 parent d1eabd0
commit 8ad54d7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/bigip/resource_bigip_ltm_profile_ssl_client.go b/bigip/resource_bigip_ltm_profile_ssl_client.go
@@ -278,14 +278,18 @@ func resourceBigipLtmProfileClientSsl() *schema.Resource {
 				Computed:    true,
 				Description: "(Advertised Certificate Authorities)Specifies that the CAs that the system advertises to clients is being trusted by the profile. The default is `None`",
 			},
-
 			"crl_file": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Computed:    true,
 				Description: "Certificate revocation file name",
 			},
-
+			"allow_expired_crl": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "allow_expired_crl option to be `enabled` / `disabled`.  Default is `disabled`.",
+			},
 			"forward_proxy_bypass_default_action": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -653,6 +657,9 @@ func resourceBigipLtmProfileClientSSLRead(ctx context.Context, d *schema.Resourc
 	if _, ok := d.GetOk("crl_file"); ok {
 		_ = d.Set("crl_file", obj.CrlFile)
 	}
+	if _, ok := d.GetOk("allow_expired_crl"); ok {
+		_ = d.Set("allow_expired_crl", obj.AllowExpiredCrl)
+	}
 	if _, ok := d.GetOk("forward_proxy_bypass_default_action"); ok {
 		_ = d.Set("forward_proxy_bypass_default_action", obj.ForwardProxyBypassDefaultAction)
 	}
@@ -891,6 +898,7 @@ func getClientSslConfig(d *schema.ResourceData, config *bigip.ClientSSLProfile)
 	}
 	config.ClientCertCa = d.Get("client_cert_ca").(string)
 	config.CrlFile = d.Get("crl_file").(string)
+	config.AllowExpiredCrl = d.Get("allow_expired_crl").(string)
 	config.ForwardProxyBypassDefaultAction = d.Get("forward_proxy_bypass_default_action").(string)
 	config.GenericAlert = d.Get("generic_alert").(string)
 	config.HandshakeTimeout = d.Get("handshake_timeout").(string)

diff --git a/docs/resources/bigip_ltm_profile_client_ssl.md b/docs/resources/bigip_ltm_profile_client_ssl.md
@@ -55,6 +55,10 @@ Don't insert empty fragments and No TLSv1.3 are listed as Enabled Options. `Usag
 
 * `ca_file` - (Optional) (Trusted Certificate Authorities)Specifies a client CA that the system trusts. The default is `None`.
 
+* `crl_file` - (Optional) Specifies the name of a file containing a list of revoked client certificates. The default is `None`.
+
+* `allow_expired_crl` - (Optional) Instructs the system to use the specified CRL file even if it has expired. The default is `disabled`.
+
 * `client_cert_ca` - (Optional)(Advertised Certificate Authorities)Specifies that the CAs that the system advertises to clients is being trusted by the profile. The default is `None`.
 
 * `renegotiation` - (Optional) Enables or disables SSL renegotiation.When creating a new profile, the setting is provided by the parent profile

diff --git a/vendor/github.com/f5devcentral/go-bigip/ltm.go b/vendor/github.com/f5devcentral/go-bigip/ltm.go