Forum Discussion
kazeem_yusuf1
Aug 01, 2018Nimbostratus
An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community,
I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...
Stan_PIRON_F5
Employee
when CLIENTSSL_HANDSHAKE {
if { [SSL::extensions exists -type 17516] } then {
set tls_extension [SSL::extensions -type 17516]
} else {
set tls_extension ""
}
}
when SERVERSSL_CLIENTHELLO_SEND {
if { $tls_sni_extension ne "" } then {
SSL::extensions insert $tls_extension
}
}
this code is a copy of this code with your extension type
https://devcentral.f5.com/s/articles/client-side-to-server-side-sni-relay-irule-967
Stan_PIRON_F5
Nov 05, 2019Employee
You can try this to catch and remove this extension from CLIENT_HELLO packet (not tested)
it will then insert it in server side TLS handshake
when CLIENT_ACCEPTED {
set tls_extension_17516 ""
SSL::disable
TCP::collect
}
when CLIENT_DATA {
# Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
set payload [TCP::payload 16389]
set payloadlen [TCP::payload length]
# If valid TLS 1.X CLIENT_HELLO handshake packet
if { [binary scan $payload cH4ScH6H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshakelen_hex tls_handshake_version tls_handshake_sessidlen] == 7 && \
($tls_record_content_type == 22) && \
([string match {030[1-3]} $tls_version]) && \
($tls_handshake_action == 1) && \
($payloadlen == ($tls_recordlen & 0xffff )+5)} {
# store in a variable the handshake length
#set tls_handshakelen [expr 0x$tls_handshakelen_hex]
scan $tls_handshakelen_hex %x tls_handshakelen
# store in a variable the handshake version
set tls_handshake_prefered_version $tls_handshake_version
# skip past the session id
set record_offset [expr {44 + ($tls_handshake_sessidlen & 0xff)}]
# skip past the cipher list
binary scan $payload @${record_offset}S tls_ciphlen
set record_offset [expr {$record_offset + 2 + ($tls_ciphlen & 0xffff)}]
# skip past the compression list
binary scan $payload @${record_offset}c tls_complen
set record_offset [expr {$record_offset + 1 + ($tls_complen & 0xffff)}]
# check for the existence of ssl extensions
if { ($payloadlen > $record_offset) } {
# skip to the start of the first extension
set tls_extension_length_start $record_offset
binary scan $payload @${record_offset}S tls_extension_length
set record_offset [expr {$record_offset + 2}]
# Check if extension length + offset equals payload length
if {$record_offset + ($tls_extension_length & 0xffff) == $payloadlen} {
# for each extension
while { $record_offset < $payloadlen } {
binary scan $payload @${record_offset}SS tls_extension_type tls_extension_record_length
set tls_extension_record_length [expr {$tls_extension_record_length & 0xffff}]
if { $tls_extension_type == 17516 } {
# if it's extension type 17516
binary scan $payload @${record_offset}A[expr {$tls_extension_record_length +4}] tls_extension_17516
set ext_start $record_offset
set ext_len [expr {$tls_extension_record_length + 4}]
set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
} else {
# skip over other extensions
set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
}
}
}
}
}
unset -nocomplain payload payloadlen tls_record_content_type tls_handshake_action tls_handshake_sessidlen record_offset tls_ciphlen tls_complen tls_extension_type tls_extension_record_length tls_supported_versions_length tls_supported_versions
if {$tls_extension_17516 ne ""} {
# remove extension from Payload
TCP::payload replace $ext_start $ext_len ""
# Change extension Length
TCP::payload replace $tls_extension_length_start 2 [binary format S [expr {($tls_extension_length & 0xffff) - $ext_len}]]
# Change Handshake Length
TCP::payload replace 6 3 [binary format H6 [format %06X [expr {$tls_handshakelen - $ext_len}]]]
# Change Message Length
TCP::payload replace 3 2 [binary format S [expr {($tls_recordlen & 0xffff) - $ext_len}]]
}
SSL::enable
TCP::release
}
when SERVERSSL_CLIENTHELLO_SEND {
if { $tls_extension_17516 ne "" } {
SSL::extensions insert $tls_extension_17516
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects