For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Mar 28, 2011

TLS Server Name Indication iRule

http://devcentral.f5.com/wiki/default.aspx/iRules/TLS_ServerNameIndication.html     I posted the iRule above for discussion purposes. It decodes the TLS SNI extension field in an SSL/TLS negot...
application delivery
dev
devops
iRules
Greg_Chew_31149's avatar
Greg_Chew_31149
Historic F5 Account
Jul 18, 2014

https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx is the updated link as of 7/17/14

 

  • Thomas_Schaefer's avatar
    Thomas_Schaefer
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2018

    I have a related issue I am trying to solve. I have an external server that I need to set SNI on the way out as the remote server needs SNI.

     

    The data flow is a server behind the BigIP sends data in clear text to a BigIP VS, the connection then use a Server SSL profile to enable TLS1.2.

     

    I would like to populate the server name extension in an iRule attached to this VS. I found some code under SSL::extensions. I am not clear how I would adapt this to insert an SNI. From the text of the above iRule, it looks like the type is 0.

     

    Can anyone suggest how I can insert an SNI into the CLIENT_HELLO the BigIP will send?

     

    when SERVERSSL_CLIENTHELLO_SEND { set my_ext "Hello world!" set my_ext_type 62965 SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext] }

     

    Thanks - Tom