Forum Discussion

Murugs_322349's avatar
Icon for Nimbostratus rankNimbostratus
Oct 10, 2017

SNI Based on IRule

I have a requirement to set SNI based on the incoming context for every subsequent requests by same client to the same back-end server.


I have put the following in SERVERSSL_CLIENTHELLO_SEND but it looks like the event SERVERSSL_CLIENTHELLO_SEND is getting triggered for only first request and not for every subsequent request from same client. Is there any better option available ?


log local0. "SNI : one-dev-443 : $sni" set sni_host $sni set sni_length [string length $sni_host] binary scan $sni_host H* sni_host_hex set server_tls_sni_extension "0000" append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 5 }]]" append server_tls_sni_extension "[format %4.4X [expr { $sni_length + 3 }]]" append server_tls_sni_extension "00" append server_tls_sni_extension "[format %4.4X $sni_length]" SSL::extensions insert [binary format H* "$server_tls_sni_extension$sni_host_hex"]


5 Replies

  • Hi Murugs,

    to force an

    event after each single
    event you would need to execute
    on/after every single
    event. But this approach would hurt your overall performance and is absolutely NOT recommended...

    I'd like to ask the question why do you need to do that?

    You need SNI just to select a specific SSL cert on your web server. After the Server SSL handshake is completed, you can pump as many HTTP request over the established TCP connection / SSL session without the need to further manipulate server side SNI records.

    Cheers, Kai

  • How about something a little different, where you set the "tls_SNI_extension" based on what the client sends? Something like this:

        if { [SSL::extensions exists -type 0] } then {
            set tls_sni_extension [SSL::extensions -type 0]
        } else {
            set tls_sni_extension ""
        if { $tls_sni_extension ne "" } then {
            SSL::extensions insert $tls_sni_extension
  • Hi Murugs,


    your iRule contains a old version of my SNI injection iRule. You may check out the links provided by Stanislas to get an optimized version...


    Cheers, Kai


  • Thanks for the optimized version, I will definitely get it implemented.


    My request is how do I make the SERVERSSL_CLIENTHELLO_SEND event fired for each HTTP Request irrespective of whether the request is coming from same browser session or not. The VS has only one HTTP host attached.