Forum Discussion
NimbostratusAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
NimbostratusHi Kazeemyu1.5586213523653357E12,
Did you have a solution on this request, Im confronted to same issue.
Exactly the same issue while im trying to perform https Client Hello Enrichment.
Regards,
Baba TABOURE
Stan_PIRON_F5Employee
when CLIENTSSL_HANDSHAKE { if { [SSL::extensions exists -type 17516] } then { set tls_extension [SSL::extensions -type 17516] } else { set tls_extension "" } } when SERVERSSL_CLIENTHELLO_SEND { if { $tls_sni_extension ne "" } then { SSL::extensions insert $tls_extension } }this code is a copy of this code with your extension type
https://devcentral.f5.com/s/articles/client-side-to-server-side-sni-relay-irule-967
- Baba_TABOURE
Thanks Stanislas, is this the reason why we have that kind of error sent during TLS Handshake?:
Alert (Level: Fatal, Description: Bad Record Mac).
Our F5 is the first network element we have before getting to the server.
- Stan_PIRON_F5
I remember this.. Can you confirm this is this scenario:
- The client does not insert this extension
- A service between the client and the BigIP add this extension in the CLIENT_HELLO message
- The client reject the BigIP Handshake Message
If this is the scenario, there is no solution as TLS protocol does not support such change.
- Baba_TABOURE
Hereafter the scénario:
- The client does not insert this extension
- The client is a mobile which does not add the extension
- A service between the client and the BigIP add this extension in the CLIENT_HELLO message
- A service (such as DPI) between the client mobile and the BigIP add this extension
- The reject is coming from the floating IP of BigIP (the public ip 196.207.246.112 in the image).
- Alert (Level: Fatal, Description: Bad Record Mac)
PS: The BigIP is suppose to forward alls request coming from the client to the server
- The client does not insert this extension
