Forum Discussion
kazeem_yusuf1
Nimbostratus
NimbostratusAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community,
I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...
Baba_TABOURENimbostratus
NimbostratusHi Kazeemyu1.5586213523653357E12,
Did you have a solution on this request, Im confronted to same issue.
Exactly the same issue while im trying to perform https Client Hello Enrichment.
Regards,
Baba TABOURE
Stan_PIRON_F5Employee
when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 17516] } then { set tls_extension [SSL::extensions -type 17516] } else { set tls_extension "" } } when SERVERSSL_CLIENTHELLO_SEND { if { $tls_sni_extension ne "" } then { SSL::extensions insert $tls_extension } }this code is a copy of this code with your extension type
https://devcentral.f5.com/s/articles/client-side-to-server-side-sni-relay-irule-967
- Stan_PIRON_F5
You can try this to catch and remove this extension from CLIENT_HELLO packet (not tested)
it will then insert it in server side TLS handshake
when CLIENT_ACCEPTED { set tls_extension_17516 "" SSL::disable TCP::collect } when CLIENT_DATA { # Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14) set payload [TCP::payload 16389] set payloadlen [TCP::payload length] # If valid TLS 1.X CLIENT_HELLO handshake packet if { [binary scan $payload cH4ScH6H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshakelen_hex tls_handshake_version tls_handshake_sessidlen] == 7 && \ ($tls_record_content_type == 22) && \ ([string match {030[1-3]} $tls_version]) && \ ($tls_handshake_action == 1) && \ ($payloadlen == ($tls_recordlen & 0xffff )+5)} { # store in a variable the handshake length #set tls_handshakelen [expr 0x$tls_handshakelen_hex] scan $tls_handshakelen_hex %x tls_handshakelen # store in a variable the handshake version set tls_handshake_prefered_version $tls_handshake_version # skip past the session id set record_offset [expr {44 + ($tls_handshake_sessidlen & 0xff)}] # skip past the cipher list binary scan $payload @${record_offset}S tls_ciphlen set record_offset [expr {$record_offset + 2 + ($tls_ciphlen & 0xffff)}] # skip past the compression list binary scan $payload @${record_offset}c tls_complen set record_offset [expr {$record_offset + 1 + ($tls_complen & 0xffff)}] # check for the existence of ssl extensions if { ($payloadlen > $record_offset) } { # skip to the start of the first extension set tls_extension_length_start $record_offset binary scan $payload @${record_offset}S tls_extension_length set record_offset [expr {$record_offset + 2}] # Check if extension length + offset equals payload length if {$record_offset + ($tls_extension_length & 0xffff) == $payloadlen} { # for each extension while { $record_offset < $payloadlen } { binary scan $payload @${record_offset}SS tls_extension_type tls_extension_record_length set tls_extension_record_length [expr {$tls_extension_record_length & 0xffff}] if { $tls_extension_type == 17516 } { # if it's extension type 17516 binary scan $payload @${record_offset}A[expr {$tls_extension_record_length +4}] tls_extension_17516 set ext_start $record_offset set ext_len [expr {$tls_extension_record_length + 4}] set record_offset [expr {$record_offset + $tls_extension_record_length + 4}] } else { # skip over other extensions set record_offset [expr {$record_offset + $tls_extension_record_length + 4}] } } } } } unset -nocomplain payload payloadlen tls_record_content_type tls_handshake_action tls_handshake_sessidlen record_offset tls_ciphlen tls_complen tls_extension_type tls_extension_record_length tls_supported_versions_length tls_supported_versions if {$tls_extension_17516 ne ""} { # remove extension from Payload TCP::payload replace $ext_start $ext_len "" # Change extension Length TCP::payload replace $tls_extension_length_start 2 [binary format S [expr {($tls_extension_length & 0xffff) - $ext_len}]] # Change Handshake Length TCP::payload replace 6 3 [binary format H6 [format %06X [expr {$tls_handshakelen - $ext_len}]]] # Change Message Length TCP::payload replace 3 2 [binary format S [expr {($tls_recordlen & 0xffff) - $ext_len}]] } SSL::enable TCP::release } when SERVERSSL_CLIENTHELLO_SEND { if { $tls_extension_17516 ne "" } { SSL::extensions insert $tls_extension_17516 } } - Baba_TABOURE
Thanks Stanislas, is this the reason why we have that kind of error sent during TLS Handshake?:
Alert (Level: Fatal, Description: Bad Record Mac).
Our F5 is the first network element we have before getting to the server.
- Stan_PIRON_F5
I remember this.. Can you confirm this is this scenario:
- The client does not insert this extension
- A service between the client and the BigIP add this extension in the CLIENT_HELLO message
- The client reject the BigIP Handshake Message
If this is the scenario, there is no solution as TLS protocol does not support such change.