For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ryan_34424's avatar
Ryan_34424
Icon for Altostratus rankAltostratus
Jun 05, 2017

APM :: Portal Access Lists :: SNI & HTTP

I'm trying to create a Portal Access List with a few web resources, and one of the links does not work because it is an Apache server that is validating that the SNI and HTTP hostname match. The prob...
apache
BIG-IP Access Policy Manager (APM)
security
sni
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jun 05, 2017

Use this Irule

 

when ACCESS_ACL_ALLOWED {
    Set the SNI value (e.g. HTTP::host)
    set sni_value [getfield [HTTP::host] ":" 1]
}
when SERVERSSL_CLIENTHELLO_SEND {

     SNI extension record as defined in RFC 3546/3.1
    
     - TLS Extension Type                =  int16( 0 = SNI ) 
     - TLS Extension Length              =  int16( $sni_length + 5 byte )
        - SNI Record Length              =  int16( $sni_length + 3 byte)
           - SNI Record Type             =   int8( 0 = HOST )
              - SNI Record Value Length  =  int16( $sni_length )
              - SNI Record Value         =    str( $sni_value )
    

     Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

    SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]

}

This is the Kai wilke code with host name from rewritten hostname instead of portal hostname