Forum Discussion

Nimbostratus

Aug 01, 2018

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains res...

Employee

Nov 05, 2019

when CLIENTSSL_HANDSHAKE {
    if { [SSL::extensions exists -type 17516] } then {
        set tls_extension [SSL::extensions -type 17516]
    } else {
        set tls_extension ""
    }
}
when SERVERSSL_CLIENTHELLO_SEND {
    if { $tls_sni_extension ne "" } then {
        SSL::extensions insert $tls_extension
    }
}

this code is a copy of this code with your extension type

https://devcentral.f5.com/s/articles/client-side-to-server-side-sni-relay-irule-967

Stan_PIRON_F5

Employee

Nov 07, 2019

According to your variable, you must have this:

$ tclsh
% set var Dl\300\200\v\001\300\200\b\300\200\300\200\300\2003\302\242\302\231^\302\235\r\n\r\n
% binary scan $var SSa* type length data
3
% echo $type
17516
% echo $length
-16256
% expr {$length & 0xffff}
49280
% binary scan $data H* data_hex
1
% echo $data_hex
0b01c08008c080c080c08033c2a2c2995ec29d0d0a0d0a
% string length $data
23

There is a issue with length which must not be negative. This is because binary command returns signed integers.

I will upload a new version of the code above to convert signed to unsigned integer.

Can you confirm the length value with may be wrong (negative numbers means more than 32768, but the whole TLS handshake must not be larger than 16389)

Can you do a Wireshark capture on BigIP client side?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)