For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Giammarco's avatar
Giammarco
Icon for Nimbostratus rankNimbostratus
Jun 15, 2012

SNI iRule problem

hello guys,     i'm using this iRule to make multiple SSL on a single VIP       https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx       it works wi...
application delivery
dev
devops
iRules
Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Jun 21, 2012
Giammarco:

 

 

Thanks for the input on this. You're right on both counts. I'll need to look at why IE8+XP has an issue with this -- disabling TLS 1.0 is an okay fix but there should be a way to do this without needing a clientside fix. And we can't disable TLS 1.0 handshake checking in the iRule because SNI browsers can be TLS 1.0 (most are).

 

 

The offset thing -- that's also correct on your part. The rule was written originally prototyping against only SNI browsers, so I have to admit, redfaced, that I didn't test it too hard on non-SNI browsers. If I get a chance, I'll go update the iRule and give it another test.

 

 

Of course, if you're running 11.1/11.2, it's better to just use F5's built-in SNI support. :> It doesn't do pool switching, but an iRule on the VIP can easily do that for you once TMOS is done taking care of the SNI selection.