For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 30, 2016

Hi Neeraj,

I'm not aware of a configuration hack to bypass the mandatory SNI Default Profile. But you may use the iRule below as a starting point, to parse the requested SNI value and then allow/reject the connection as needed...

when CLIENTSSL_CLIENTHELLO {
    if { [SSL::extensions exists -type 0] } then {
        switch -glob -- [string range [SSL::extensions -type 0] 9 end] {
            "site1.domain1.de" -
            "site2.domain1.de" -
            "site3.domain1.de" -
                "*.domain2.de" {
                log local0.debug "SNI Check: Allowing SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                Allow the request
            } 
            default {
                log local0.debug "SNI Check: Blocking SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                reject
            }           
        }
    }
}

Note: You have to configure "Require Peer SNI support" in your Client SSL Profiles to block any CLIENTHELLO's without SNI extentions.

Cheers, Kai