Serverside SNI injection iRule

Problem this snippet solves: Hi Folks, the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depe...
Updated Jun 06, 2023
Version 2.0
devops
security
server name indication injection
sni
sni injection
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 11, 2017

Hi Angorya,

 

Workaround: None.

 

Seems to be an dead end then, since you can not remove an existing SNI extension from the Handshake for now (see my prequisites Step 3.).

 

The last chance I see for you is by utilizing a VIP-targeting-VIP setup, so that you can still use SNI to flip SSL Profiles for the client side connection (aka. external VS) while making sure to not forward a SNI value to APM (aka. internal VS). At least this approach will allow you to mitigate the listed condition "Client side ClientHello contains SNI." and would then allow you to insert a SNI value of your choice on the connection between the internal VS and backend servers.

 

Cheers, Kai