Forum Discussion

AdirZe's avatar
AdirZe
Icon for Altocumulus rankAltocumulus
Nov 15, 2023

Log Serverside SNI Value

Hi Everyone, I would apperciate your help with basic requirement I have. I want to log the server side (F5 -> Pool member) SNI Value. I'm familiar with this command: "binary scan [SSL::extensions ...
application delivery
Paulius's avatar
Paulius
Icon for MVP rankMVP
Nov 16, 2023

AdirZe The following should be what you're looking for but from my understanding the F5 will not send an SNI name unless you explicitly configure it in the SSL server profile so you should already know what the name is unless of course you are configuring SSL passthrough which the F5 will then send whatever the client has sent it.

when SERVERSSL_CLIENTHELLO_SEND priority 500 {

    binary scan [SSL::extensions -type 0] {@9A*} sni_name
    log local0. "sni name: ${sni_name}"

}
  • AdirZe's avatar
    AdirZe
    Icon for Altocumulus rankAltocumulus
    Nov 17, 2023

     

    Thank you, I understand , I actually tried it, it looks like it doesn't find the the sni value even though there is a Server SSL profile with sni value attached.

    the "sni_exists" if is false.

    when SERVERSSL_CLIENTHELLO_SEND priority 500 {
    set sni_exists [SSL::extensions exists -type 0]
    if { $sni_exists } {
    binary scan [SSL::extensions -type 0] {@9A*} sni_name
    log local0. "sni name: ${sni_name}"
    }
    }