SNI & Subject.DN Question

Question

I have a use case where I filter traffic based on the SNI value gained by a binary scan in CLIENT_DATA but in some cases SNI value is null. I'm wanting to look at the servers subject.dn when this happens. I know that I can gain the subject.dn from SERVERSSL_SERVERCERT in the below code however I have no way to gain the same information in CLIENT_DATA or signal SERVERSSL_SERVERCERT that based on the information in CLIENT_DATA that it needs to get the subject.dn and do stuff. If anyone has any ideas I would be very grateful.&nbsp;when SERVERSSL_SERVERCERT {
    if { [SSL::cert count] != 0 }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
    }
}

rob_carr · Answer

Why not signal the need to check subject.dn based on the absence of your SNI info?
Pseudocode:
when CLIENT_DATA {
    set check_subject_dn 0
    if { [SNI existence check goes here]}
        [extract SNI and do whatever]
    } else {
        set check_subject_dn 1
    }
}
when SERVERSSL_SERVERCERT {
    if { ([SSL::cert count] != 0) &amp;&amp; $check_subject_dn }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
}
}

Forum Discussion

SNI & Subject.DN Question

Recent Discussions

Should config via cli rather than gui?

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Related Content

SNI Routing with BIG-IP

How to Troubleshoot SNI

Server Profile SNI

SNI Routing with DNS Lookup

Serverside SNI injection iRule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS