Forum Discussion

Nimbostratus

Aug 01, 2018

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...

Nimbostratus

Nov 05, 2019

Hum ok....DO you have a summary of what you have propose and the purpose please in order to understand

Stan_PIRON_F5
Employee
Nov 05, 2019
The goal of this code is:
disable SSL profile on client side to disable TLS inspection before the code ends
binary search the expected extension
save in variable tls_extension_17516 the content of extension type 17516
save in variable ext_start the index of beginning of extension 17516
save in variable ext_len the extension 17516 length
replace in payload the extension with no value (from ext_start with length ext_len)

missing in the code :
change extension length to new value
change handshake length to new value

I will update the code with missing commands later.
- Stan_PIRON_F5
  Employee
  Nov 05, 2019
  I just updated the code above.
  
  Can you try it and update this thread?
- Baba_TABOURE
  Nimbostratus
  Nov 07, 2019
  Hi Stanislas,
  
  Our IT team try to implement your script, this is what we got in BIGIP outgoing packet (extracted for wireshark) regarding what is in the tls_extension_17516 variable:
  
  Dl\300\200\v\001\300\200\b\300\200\300\200\300\2003\302\242\302\231^\302\235\r\n\r\n
  
  This what we have before the BIGIP (in hexa from wireshark)
  Data: 010008000000 33a2995e9d (in bold the value which is inserted i.e 221771292317 in decimal)
- Baba_TABOURE
  Nimbostratus
  Nov 07, 2019
  The TLS session succeed now but the problem is to fetch the data value in the extension and sent it to a proper format (hexa, decimal ou string) to the server.