Forum Discussion

Nimbostratus

Nov 22, 2018

SSL::sni name not returning value after update to 12.1.3

Hello, After recently upgrading the lab machine from 12.1.1 to 12.1.3, I have discovered that the following iRule which I have been using to determine if Client SNI and Server SNI match doesn't wor...

Employee

Nov 29, 2018

Interestingly, I believe the behavior of this iRule changed between 12.1.1 and 12.1.3. I just tested on a 13.0 box and it's the same as what you're seeing on 12.1.3.

Basically, in 12.1.1, SSL::sni reads the Server Name attribute in the client SSL profile, and if that's empty, reads the CN of the certificate applied to the client SSL profile.

In 12.1.3 and beyond, SSL::sni only reads the Server Name field value. So in your case, you'd simply need to add the Server Name string to each client SSL profile that matches the corresponding cert's CN or SAN value.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SSL::sni name not returning value after update to 12.1.3

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

ASM/AWAF declarative policy

Changes to DO and AS3 GitHub - no longer monitored

Help with SSH Virtual Server

GRE Tunnel Issue

Help with an iRule to disconnect active connections to Pool Members that are "offline"

Related Content

SSL Orchestrator Use Case: Inbound SNI Switching

BIG-IP Geolocation Updates – Part 7

SSL Orchestrator Use Case: Inbound SNI Switching with version 9.1

BIG-IP Geolocation Updates – Part 1

BIG-IP Geolocation Updates – Part 2

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS