Forum Discussion
Neeraj_Jags_152
Sep 30, 2016Cirrus
SNI in sol13452 and Default / fallback client ssl profile
how to Drop https request for Default / fallback clientssl profile, SNI in sol13452
sol13452 describes very well for "Configuring a virtual server to serve multiple HTTPS sites using the TLS Server N...
Kai_Wilke
Sep 30, 2016MVP
Hi Neeraj,
I'm not aware of a configuration hack to bypass the mandatory SNI Default Profile. But you may use the iRule below as a starting point, to parse the requested SNI value and then allow/reject the connection as needed...
when CLIENTSSL_CLIENTHELLO {
if { [SSL::extensions exists -type 0] } then {
switch -glob -- [string range [SSL::extensions -type 0] 9 end] {
"site1.domain1.de" -
"site2.domain1.de" -
"site3.domain1.de" -
"*.domain2.de" {
log local0.debug "SNI Check: Allowing SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
Allow the request
}
default {
log local0.debug "SNI Check: Blocking SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
reject
}
}
}
}
Note: You have to configure "Require Peer SNI support" in your Client SSL Profiles to block any CLIENTHELLO's without SNI extentions.
Cheers, Kai
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects