Inspect SSL SNI but don't do SSL offloading?

Question

Hi,&nbsp;
Is it possible for a VS to use an iRule to parse the SNI extension from the SSL ClientHello packet from the client, use it for some logic (like where to go, etc), but do NOT actually perform SSL offloading?  I.e. pass through the packets to the actual server to do the SSL handshake as if it was just a TCP VS setup with no SSL profile attached?&nbsp;
All the stuff I have seen indicates that I'll need an SSL profile to get the CLIENTHELLO event or to use the SSL::sni construct.  I also saw an iRule posted that manually decipher the SNI hostname (https://devcentral.f5.com/codeshare?sid=717) but it is still in the context of doing SSL offloading.&nbsp;
Thanks!&nbsp;
Wilson&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
Look at this code&nbsp;

Forum Discussion

Inspect SSL SNI but don't do SSL offloading?

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

Inspecting a UCS file from a compromised BIG-IP

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Unsupported Snort Keywords in Protocol Inspection

Ingress/Egress VPC inspection with BIG-IP and GWLB

Lightboard Lesson: Perfect Forward Secrecy Inspection Visibility

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS