Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

K-Dubb's avatar
K-Dubb
Icon for Nimbostratus rankNimbostratus
Mar 12, 2019

SNI

Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requir...
application delivery
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Mar 12, 2019

Hi K-Dubb,

you have to read the SNI value on the TCP layer by using the 

TCP::collect
and 
TCP::payload
commands before the 
CLIENTSSL_CLIENTHELLO
event gets processed. By doing so you will be able to manually 
SSL::profile XYZ
choose a non-sni-aware SSL profile as you like.

Depending on the detailed requirements it may be sufficient to check if the first collected 

TCP::payload
is 
contain
included in given Data-Group. The Data-Group key would be the SNI name and the Data-Group value would be the SSL Profile to become selected. If this approach is not sufficient for your solution, you would need to binary parse the received CLIENTHELLO payload to extract the SNI value more accurately...

Check out Joels SNI parsing iRule to get an idea how to parse the SNI value...

https://devcentral.f5.com/codeshare/tls-server-name-indication

Cheers, Kai