Forum Discussion
NimbostratusiRule CMD usage clarification - SSL::SNI
Hi,
I'm looking for an iRule command to extract the Server Name attribute (SNI) from an incoming SSL/TLS Client Hello packet.
According to the F5 description:
[https://clouddocs.f5.com/api/irules/SSL__sni.html ]
The [SSL::SNI] cmd returns the "Server Name" attribute of the SSL Profile currently selected - which is fine if there are multiple SSL profiles attached to the VS.
However for my application, I would like to extract the incoming Server Name from the Client Hello packet.
Would [HTTP::host] work instead?
Thanking you
Cheers
Drew
3 Replies
Yoann_Le_Corvi1Cumulonimbus
Hi
[HTTP::host] will just return the Host Header. If you want SSL info, try playing around with SSL::extensions.
https://clouddocs.f5.com/api/irules/SSL__extensions.html
I wish I could fine a minute to get you the right iRule, but not sure I will have the time :)
Yonan
- Yoann_Le_Corvi1
Here it goes...
when CLIENTSSL_HANDSHAKE { log local0.info "CLIENTSSL_HANDSHAKE" set ext_exists [SSL::extensions exists -type 0] log local0.info "SSL extension type 0 exists: $ext_exists" if {$ext_exists} { set scan [binary scan [SSL::extensions -type 0] S1S1A4A* ext_type ext_len disc ext] #set sni_hostname [binary format H* $ext] log local0. "SSL server_name $ext" } }
Drew666Hi Yoann
Firstly my apologies for the late reply (have been away)
I'll test it hopefully this week.
Thanking you
