For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Mar 28, 2011

TLS Server Name Indication iRule

http://devcentral.f5.com/wiki/default.aspx/iRules/TLS_ServerNameIndication.html

 

 

I posted the iRule above for discussion purposes. It decodes the TLS SNI extension field in an SSL/TLS negotiation and then attempts to dynamically switch the ClientSSL profile based on what it sees in this field. Essentially, this will allow you to use multiple certificates with a single VIP, dynamically switching them when the browser client changes the host it's requesting.

 

 

I'm intending to add support for changing pools as well -- that means that it's possible to support multiple certificates and multiple pools via a single VIP behind TLS encryption. But I thought I'd get this earlier proof of concept out there so people can see it and discuss it.

 

 

Joel

 

application delivery
dev
devops
iRules

24 Replies

Show More
  • Mauz's avatar
    Mauz
    Icon for Altostratus rankAltostratus
    May 23, 2014

    We had to ask the CA for a special certificate, as the root cert for 100000 terminals was being deprecated. The root cert was 1024 bit of key size and we could not update the root cert for 100000 terminals. The CA set up a special cert for our organization as a temporary solution.

     

  • Greg_Chew_31149's avatar
    Greg_Chew_31149
    Historic F5 Account
    Jul 18, 2014

    https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx is the updated link as of 7/17/14

     

    • Thomas_Schaefer's avatar
      Thomas_Schaefer
      Icon for Nimbostratus rankNimbostratus
      Sep 07, 2018

      I have a related issue I am trying to solve. I have an external server that I need to set SNI on the way out as the remote server needs SNI.

       

      The data flow is a server behind the BigIP sends data in clear text to a BigIP VS, the connection then use a Server SSL profile to enable TLS1.2.

       

      I would like to populate the server name extension in an iRule attached to this VS. I found some code under SSL::extensions. I am not clear how I would adapt this to insert an SNI. From the text of the above iRule, it looks like the type is 0.

       

      Can anyone suggest how I can insert an SNI into the CLIENT_HELLO the BigIP will send?

       

      when SERVERSSL_CLIENTHELLO_SEND { set my_ext "Hello world!" set my_ext_type 62965 SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext] }

       

      Thanks - Tom

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 07, 2018

    The server SSL profile has a "Server Name" property that will insert an SNI value.

    But if you need this to be dynamic, the following will do what you need:

    when SERVERSSL_CLIENTHELLO_SEND {
    if { [info exists servername] } {
        set bin [binary format S1S1S1S1ca* 0 [expr [string length ${servername}] + 5] [expr [string length ${servername}] + 3] 0 [string length ${servername}] ${servername}]   
        SSL::extensions insert $bin
    }
}