Forum Discussion

Nimbostratus

Feb 15, 2019

SNI & Subject.DN Question

I have a use case where I filter traffic based on the SNI value gained by a binary scan in CLIENT_DATA but in some cases SNI value is null. I'm wanting to look at the servers subject.dn when this hap...

Cirrostratus

Feb 18, 2019

Why not signal the need to check subject.dn based on the absence of your SNI info?

Pseudocode:

when CLIENT_DATA {
    set check_subject_dn 0
    if { [SNI existence check goes here]}
        [extract SNI and do whatever]
    } else {
        set check_subject_dn 1
    }
}
when SERVERSSL_SERVERCERT {
    if { ([SSL::cert count] != 0) && $check_subject_dn }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
}
}

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SNI & Subject.DN Question

Recent Discussions

Should config via cli rather than gui?

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Related Content

SNI Routing with BIG-IP

How to Troubleshoot SNI

Server Profile SNI

SNI Routing with DNS Lookup

Serverside SNI injection iRule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS