For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bdavis's avatar
bdavis
Icon for Nimbostratus rankNimbostratus
Feb 15, 2019

SNI & Subject.DN Question

I have a use case where I filter traffic based on the SNI value gained by a binary scan in CLIENT_DATA but in some cases SNI value is null. I'm wanting to look at the servers subject.dn when this happens. I know that I can gain the subject.dn from SERVERSSL_SERVERCERT in the below code however I have no way to gain the same information in CLIENT_DATA or signal SERVERSSL_SERVERCERT that based on the information in CLIENT_DATA that it needs to get the subject.dn and do stuff. If anyone has any ideas I would be very grateful.

 

when SERVERSSL_SERVERCERT {
    if { [SSL::cert count] != 0 }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
    }
}
application delivery
iRules
Secure Web Gateway
security

1 Reply

  • rob_carr's avatar
    rob_carr
    Icon for Cirrocumulus rankCirrocumulus
    Feb 18, 2019

    Why not signal the need to check subject.dn based on the absence of your SNI info?

    Pseudocode:

    when CLIENT_DATA {
    set check_subject_dn 0
    if { [SNI existence check goes here]}
        [extract SNI and do whatever]
    } else {
        set check_subject_dn 1
    }
}
when SERVERSSL_SERVERCERT {
    if { ([SSL::cert count] != 0) && $check_subject_dn }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
}
}