Client side to server side SNI relay iRule

Problem this snippet solves:

Hi Folks,

the iRule below can be used to relay client side provided TLS SNI extensions to the server side. The iRule is usefull if your pool servers depending on matching SNI records and you don't want to configure dedicated Server SSL Profiles for each single web application.

Cheers, Kai

How to use this snippet:

  1. Attach the iRule to the Virtual Server where you need to relay the TLS SNI expensions
  2. Make sure you've cleared the "Server Name" option in your Server_SSL_Profile

Code :

when CLIENTSSL_HANDSHAKE {
    if { [SSL::extensions exists -type 0] } then {
        set tls_sni_extension [SSL::extensions -type 0]
    } else {
        set tls_sni_extension ""
    }
}
when SERVERSSL_CLIENTHELLO_SEND {
    if { $tls_sni_extension ne "" } then {
        SSL::extensions insert $tls_sni_extension
    }
}

Tested this on version:

12.0
Published Sep 12, 2016
Version 1.0
devops
security
server name indication relay
sni
sni relay
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
No CommentsBe the first to comment