Forum Discussion
kazeem_yusuf1
Nimbostratus
NimbostratusAn Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community,
I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...
Stan_PIRON_F5
Employee
EmployeeThe goal of this code is:
- disable SSL profile on client side to disable TLS inspection before the code ends
- binary search the expected extension
- save in variable tls_extension_17516 the content of extension type 17516
- save in variable ext_start the index of beginning of extension 17516
- save in variable ext_len the extension 17516 length
- replace in payload the extension with no value (from ext_start with length ext_len)
missing in the code :
- change extension length to new value
- change handshake length to new value
I will update the code with missing commands later.
Baba_TABOURENimbostratus
NimbostratusHi Stanislas,
Our IT team try to implement your script, this is what we got in BIGIP outgoing packet (extracted for wireshark) regarding what is in the tls_extension_17516 variable:
Dl\300\200\v\001\300\200\b\300\200\300\200\300\2003\302\242\302\231^\302\235\r\n\r\n
This what we have before the BIGIP (in hexa from wireshark)
Data: 010008000000 33a2995e9d (in bold the value which is inserted i.e 221771292317 in decimal)
