Forum Discussion

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Oct 22, 2018

Try this code (not tested) and change line 52 with data group name

 

when CLIENT_ACCEPTED {
    SSL::disable
    SSL::disable serverside               
    TCP::collect
    set tls_servername ""
}
when CLIENT_DATA {
     Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
    set payload [TCP::payload 16389]
    set payloadlen [TCP::payload length]

     If valid TLS 1.X CLIENT_HELLO handshake packet
    if { [binary scan $payload cH4Scx3H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshake_version tls_handshake_sessidlen] == 6 && \
        ($tls_record_content_type == 22) && ([string match {030[1-3]} $tls_version]) && \
        ($tls_handshake_action == 1) && ($payloadlen == $tls_recordlen+5)} {
         skip past the session id
        set record_offset [expr {44 + $tls_handshake_sessidlen}]

         skip past the cipher list
        binary scan $payload @${record_offset}S tls_ciphlen
        set record_offset [expr {$record_offset + 2 + $tls_ciphlen}]

         skip past the compression list
        binary scan $payload @${record_offset}c tls_complen
        set record_offset [expr {$record_offset + 1 + $tls_complen}]

         check for the existence of ssl extensions
        if { ($payloadlen > $record_offset) } {
             skip to the start of the first extension
            binary scan $payload @${record_offset}S tls_extension_length
            set record_offset [expr {$record_offset + 2}]
             Check if extension length + offset equals payload length
            if {$record_offset + $tls_extension_length == $payloadlen} {
                 for each extension
                while { $record_offset < $payloadlen } {
                    binary scan $payload @${record_offset}SS tls_extension_type tls_extension_record_length
                    if { $tls_extension_type == 0 } {
                         if it's a servername extension read the servername
                         SNI record value start after extension type (2 bytes), extension record length (2 bytes), record type (2 bytes), record type (1 byte), record value length (2 bytes) = 9 bytes
                        binary scan $payload @[expr {$record_offset + 9}]A[expr {$tls_extension_record_length - 5}] tls_servername
                        set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]

                    } else {
                         skip over other extensions
                        set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
                    }
                }
            }
        }
    } 
    unset -nocomplain payload payloadlen tls_record_content_type tls_recordlen tls_handshake_action tls_handshake_sessidlen record_offset tls_ciphlen tls_complen tls_extension_length tls_extension_type tls_extension_record_length tls_supported_versions_length tls_supported_versions
    if {$tls_servername equals "" || [class match $tls_servername equals "MyDG"] == 0} {
        SSL::enable
        SSL::enable serverside 
    }
    TCP::release
}