Manipulating Hostname and SNI

Nacreous

Jul 08, 2024

There is no in-built functionality to send SNI value in serverside TLS connection as mentioned in https://my.f5.com/manage/s/article/K41600007

But you can try with below iRule to replace HOST header and SNI value on the serverside connection. Please let us know how the testing goes.

when HTTP_REQUEST {
 # Replace the host header value with siteb.com
HTTP::header replace Host "siteb.com"
set sni_value "siteb.com"
}
when SERVERSSL_CLIENTHELLO_SEND {
# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type                =  int16( 0 = SNI ) 
# - TLS Extension Length              =  int16( $sni_length + 5 byte )
#    - SNI Record Length              =  int16( $sni_length + 3 byte)
#       - SNI Record Type             =   int8( 0 = HOST )
#          - SNI Record Value Length  =  int16( $sni_length )
#          - SNI Record Value         =    str( $sni_value )
#
# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields
# and add the result to the SERVERSSL_CLIENTHELLO 
SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
}

Forum Discussion

Manipulating Hostname and SNI

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP headers

RADIUS authentication packet manipulation library

Rewrite HTTP Redirect Hostname

Cache Manipulation Examples

Manipulate state of pool members via Python SDK