Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Serverside SNI injection iRule

Problem this snippet solves: Hi Folks, the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depe...
Updated Jun 05, 2023
Version 2.0
devops
security
server name indication injection
sni
sni injection
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
Angorya's avatar
Angorya
Icon for Nimbostratus rankNimbostratus
Sep 11, 2017

F5 has it as a Known Issue for 13.0:

 

653495-1 : Incorrect SNI hostname attached to serverside connections

 

Component: Local Traffic Manager

 

Symptoms: SNI hostname submitted to a virtual server on the client side is sent to server side, even if there is a different hostname specified in the server SSL profile.

 

Conditions: -- Client side ClientHello contains SNI.

 

Impact: SNI is sent from client to server without stripping or rewriting the SNI.

 

Workaround: None.

 

It seems we have to wait for them to patch it...