Forum Discussion

Nimbostratus

Mar 12, 2019

SNI

Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requir...

MVP

Mar 12, 2019

Hi K-Dubb,

you have to read the SNI value on the TCP layer by using the

TCP::collect

and

TCP::payload

commands before the

CLIENTSSL_CLIENTHELLO

event gets processed. By doing so you will be able to manually

SSL::profile XYZ

choose a non-sni-aware SSL profile as you like.

Depending on the detailed requirements it may be sufficient to check if the first collected

TCP::payload

contain

included in given Data-Group. The Data-Group key would be the SNI name and the Data-Group value would be the SSL Profile to become selected. If this approach is not sufficient for your solution, you would need to binary parse the received CLIENTHELLO payload to extract the SNI value more accurately...

Check out Joels SNI parsing iRule to get an idea how to parse the SNI value...

https://devcentral.f5.com/codeshare/tls-server-name-indication

Cheers, Kai

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SNI

F5 Academies Are Back – And We’re Coming to a City Near You

Introducing the F5 Application Study Tool (AST)

Recent Discussions

Problem with sending BotDefense logs to remote server

About F5 idle timeout and keep-alive

OSPF traps on BIG-IP v14

[APM] - How to clear the cached certificate for specific url

Audit Logging on LTM and GTM

Related Content

SNI Routing with BIG-IP

How to Troubleshoot SNI

SNI Routing with DNS Lookup

Serverside SNI injection iRule

Server Profile SNI

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS