Forum Discussion
An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hum ok....DO you have a summary of what you have propose and the purpose please in order to understand
The goal of this code is:
- disable SSL profile on client side to disable TLS inspection before the code ends
- binary search the expected extension
- save in variable tls_extension_17516 the content of extension type 17516
- save in variable ext_start the index of beginning of extension 17516
- save in variable ext_len the extension 17516 length
- replace in payload the extension with no value (from ext_start with length ext_len)
missing in the code :
- change extension length to new value
- change handshake length to new value
I will update the code with missing commands later.
- Stan_PIRON_F5Nov 05, 2019
Employee
I just updated the code above.
Can you try it and update this thread?
- Baba_TABOURENov 07, 2019
Nimbostratus
Hi Stanislas,
Our IT team try to implement your script, this is what we got in BIGIP outgoing packet (extracted for wireshark) regarding what is in the tls_extension_17516 variable:
Dl\300\200\v\001\300\200\b\300\200\300\200\300\2003\302\242\302\231^\302\235\r\n\r\n
This what we have before the BIGIP (in hexa from wireshark)
Data: 010008000000 33a2995e9d (in bold the value which is inserted i.e 221771292317 in decimal)
- Baba_TABOURENov 07, 2019
Nimbostratus
The TLS session succeed now but the problem is to fetch the data value in the extension and sent it to a proper format (hexa, decimal ou string) to the server.
- Baba_TABOUREMar 19, 2025
Nimbostratus
Hi Stan,
Its been 6 years the problem is solved. We have a handshake failure for the key exchange.
but now we have a new issue. Something changed in the client side but the server need to adapt
- Kazeem_YusufJul 14, 2026
Nimbostratus
Your code is great. i would like to ask though. In cases where some packet gateway equipment uses legacy systems, and has a challenge with fragmenting tls headers, such that, there is inconsistency in inserting extension header 17516. how can F5 be used to catch and stop the fragmentation. For example. An explanation for how it works goes thus. "The Packet Core Gateway (specifically the PGW / EPG running on the SSR or newer Cloud Packet Core platforms) handles traffic using highly optimized ASICs and software worker pipelines. Understanding how the EPG processes TLS extensions helps optimize your F5 configuration.1. How the Ericsson EPG Handles Extension 17516.When the Ericsson EPG is configured for Heuristic TLS Enrichment, its Deep Packet Inspection (DPI) engine scans incoming TCP payloads on port 443.The Insertion Process: The EPG searches for the TLS ClientHello record header. It calculates the extension array offsets, dynamically shifts the remaining TLS bytes downstream, and injects Extension 17516 (which, as you verified in your packet capture, contains 4 bytes of TLS headers and 16 bytes of data).The Fragmentation Threshold: EPG platforms enforce strict MTU boundaries. If a subscriber's initial ClientHello packet is already 1,445 bytes, adding the 20-byte extension pushes it to 1,465 bytes. The EPG's internal network stack will instantly transmit the first 1,460 bytes and create a second TCP fragment for the remaining 5 bytes."
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com