For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
15 years ago

TLS Server Name Indication iRule

http://devcentral.f5.com/wiki/default.aspx/iRules/TLS_ServerNameIndication.html

 

 

I posted the iRule above for discussion purposes. It decodes the TLS SNI extension field in an SSL/TLS negotiation and then attempts to dynamically switch the ClientSSL profile based on what it sees in this field. Essentially, this will allow you to use multiple certificates with a single VIP, dynamically switching them when the browser client changes the host it's requesting.

 

 

I'm intending to add support for changing pools as well -- that means that it's possible to support multiple certificates and multiple pools via a single VIP behind TLS encryption. But I thought I'd get this earlier proof of concept out there so people can see it and discuss it.

 

 

Joel

 

application delivery
dev
devops
iRules

24 Replies

  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    15 years ago

    Thanks!

     

     

    I just posted a revision once I realized that there's a really easy way to do pool selection with a second data group list. One datagroup sets the clientSSL profile per hostname, and the other sets the pool per hostname. If it's not in either datagroup, it'll fall through to the default pool or clientSSL profile.

     

     

    So -- now this will allow you to host multiple sites from multiple pools using multiple certificates, all through a single VIP.

     

     

    ...if browser support for SNI is there, of course. :>

     

     

    Joel

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    15 years ago
    That's really cool that you figured this out Joel. Unfortunately, as you mention, no WinXP support for TLS SNI limits the value for most people.

     

     

    Aaron
  • Steve_Brown_882's avatar
    Steve_Brown_882
    Historic F5 Account
    15 years ago
    This is pretty cool Joel. Way more useful than the futurama rule from a few weeks ago. ;)
  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    15 years ago
    Aaron: That's true; it's pretty useful for corporate customers who have good control over their browser installed base, though. And for people who don't care if they ever support an IE user. :>

     

     

    Steve: Useful is a term best defined by the person with the correct need!
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    15 years ago
    Joel: Good work!!! This is very cool stuff....now if only I can get rid of Windows XP. ;-)

     

     

    Bhattman
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    15 years ago
    Good luck on that Bhattman... :)

     

     

    Great example of TLS SNI, Joel. CR94903 is in the system to add support for this to the SSL profile. If you'd like to see this added as a native feature you can open a support case and have it linked.
  • James_Quinby_46's avatar
    James_Quinby_46
    Historic F5 Account
    15 years ago
    Very nice stuff, this. I've idly wondered on and off whether or not berkley pcap-style expressions for getting into the TCP headers and such would be useful.