Forum Discussion

Giammarco's avatar
Icon for Nimbostratus rankNimbostratus
Jun 15, 2012

SNI iRule problem

hello guys,



i'm using this iRule to make multiple SSL on a single VIP




it works without problem on supported browser, and I know that under XP+any IE version should I get the default SSL certificate. But in my case, when connect from IE8+XP i got session dropped and on LTM logs this error:






TCL error: SNI_Rule - can't read "tls_extenlen": no such variable while executing "for { set x 0 } { $x < $tls_extenlen } { incr x 4 } { set start [expr {$x}]




If I've understood the rule, my browser should not send any type of information in the TLS_session..


i'm currently running 10.2.4 HF3




hope someone can help me








6 Replies

  • ok, i found that disabling TLS 1.0 under IE properties "fix" the problem.. but for example, the same problem appear if I try to access the VIP from a BB smartphone



    is it possible to avoid this problem with an If statement? I've tried to put an boolean check, but the problem is that the variable doesn't exist :(
  • doing other tests and put some log point, i've seen that no-SNI capable browser in this statement:



    if { ([TCP::payload length] >= $record_offset) }



    the tcp-payload length and record_offset are always the same number, so when there is this statement "binary scan [TCP::payload] @${record_offset}S tls_extenlen", the variable $tls_extenlen will not be created and so the TCL script break the execution



    i've modified the statement like this "([TCP::payload length] > $record_offset)", and this seems to solve the issue. The no-SNI capable browser can access the VIP (with ssl warning about certification), and also the SNI capable can access



    I don't know if it the right solution, but seems to work.. may be someone can indicate another way to make it work ^_^



  • Giammarco:



    Thanks for the input on this. You're right on both counts. I'll need to look at why IE8+XP has an issue with this -- disabling TLS 1.0 is an okay fix but there should be a way to do this without needing a clientside fix. And we can't disable TLS 1.0 handshake checking in the iRule because SNI browsers can be TLS 1.0 (most are).



    The offset thing -- that's also correct on your part. The rule was written originally prototyping against only SNI browsers, so I have to admit, redfaced, that I didn't test it too hard on non-SNI browsers. If I get a chance, I'll go update the iRule and give it another test.



    Of course, if you're running 11.1/11.2, it's better to just use F5's built-in SNI support. :> It doesn't do pool switching, but an iRule on the VIP can easily do that for you once TMOS is done taking care of the SNI selection.
  • I did verify your fix, and I altered the iRule in the Wiki appropriately. Thanks!
  • Hi Joel,



    when we installed this F5 in our environment (from distributor), we've tried this iRule under 11.1.0HF2 to apply SNI but didn't work (with or without SNI capable browser). Now you said to me that there is a F5 SNI implementation right? Where I can see how to configure?



    I'm a newbie, and i'm trying to learning step by step



    Many thanks!
  • Giammarco: No problem at all. It's in 11.1.



    Check out the client SSL profile. You'll notice (with Advanced Mode activated), that there are the following configuration items exposed in the profile:



    - Server Name


    - Default SSL Profile for SNI


    - Require Peer SNI Support