K-Dubb
Mar 12, 2019Nimbostratus
SNI
Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requir...
Hi K-Dubb,
you have to read the SNI value on the TCP layer by using the
TCP::collect
and TCP::payload
commands before the CLIENTSSL_CLIENTHELLO
event gets processed. By doing so you will be able to manually SSL::profile XYZ
choose a non-sni-aware SSL profile as you like.
Depending on the detailed requirements it may be sufficient to check if the first collected
TCP::payload
is contain
included in given Data-Group. The Data-Group key would be the SNI name and the Data-Group value would be the SSL Profile to become selected. If this approach is not sufficient for your solution, you would need to binary parse the received CLIENTHELLO payload to extract the SNI value more accurately...
Check out Joels SNI parsing iRule to get an idea how to parse the SNI value...
https://devcentral.f5.com/codeshare/tls-server-name-indication
Cheers, Kai