Serverside SNI injection iRule

Problem this snippet solves:

Hi Folks,

the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depending on valid SNI records and you don't want to configure dedicated Server SSL Profiles for each single web application.

Cheers, Kai

How to use this snippet:

  1. Attach the iRule to the Virtual Server where you need to insert a TLS SNI expension
  2. Tweak the 
    $sni_value
    variable within the 
    HTTP_REQUEST
    to meet your requirements or move it to a different event as needed.
  3. Make sure you've cleared the "Server Name" option in your Server_SSL_Profile.

Code :

when HTTP_REQUEST {
#Set the SNI value (e.g. HTTP::host)
set sni_value [getfield [HTTP::host] ":" 1]
}
when SERVERSSL_CLIENTHELLO_SEND {

# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type                =  int16( 0 = SNI ) 
# - TLS Extension Length              =  int16( $sni_length + 5 byte )
#    - SNI Record Length              =  int16( $sni_length + 3 byte)
#       - SNI Record Type             =   int8( 0 = HOST )
#          - SNI Record Value Length  =  int16( $sni_length )
#          - SNI Record Value         =    str( $sni_value )
#

# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]

}

Tested this on version:

12.0
Updated Jun 06, 2023
Version 2.0
devops
security
server name indication injection
sni
sni injection
Kai_Wilke's avatar
Icon for MVP rankMVP
My name is Kai Wilke and I'm working as a Principal Consultant for IT-Security at itacs GmbH - a German consulting company specialized in Microsoft Security cloud solutions, F5 customizations as well as for classic IT-Consulting. You can find additional information about me and my work here: https://devcentral.f5.com/articles/q-a-with-itacs-gmbhs-kai-wilke-devcentrals-featured-member-for-february-24890
View Profile
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 11, 2017

    @angorya f5 can't know its own host name in irule. I guess you mean the host name of the virtual server!

     

    If you use APM With rewrite mode, read my first comment!

     

  • Angorya's avatar
    Angorya
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2017

    Stanislas, you're correct, I expressed myself incorrectly. It's sending the VS hostname.

     

    I'm using APM with rewrite mode, so I followed your suggestion when I read this thread (I did test Kai's iRule too). I had the iRule log what it does, so I can see that the hostname that it's going to inject is the correct one, but in the packet capture I still see the VS hostname.

     

    Edit: Just in case, this is in 13.0.0.

     

  • Dane_19050's avatar
    Dane_19050
    Icon for Nimbostratus rankNimbostratus
    Aug 23, 2017

    @angorya, I am seeing the same behavior you are. I have a portal access profile setup to route traffic to an internal app. I used the rule above and the tcpdumps still show the original server name instead of the injected server name.

     

  • alex_talmage_28's avatar
    alex_talmage_28
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2017

    I am struggling the same as Angorya and Dane to get this working with Portal-Access. Replaced HTTP_Request with ACCESS_ACL_ALLOWED and its still sending the original SNI

     

  • Angorya's avatar
    Angorya
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2017

    F5 has it as a Known Issue for 13.0:

     

    653495-1 : Incorrect SNI hostname attached to serverside connections

     

    Component: Local Traffic Manager

     

    Symptoms: SNI hostname submitted to a virtual server on the client side is sent to server side, even if there is a different hostname specified in the server SSL profile.

     

    Conditions: -- Client side ClientHello contains SNI.

     

    Impact: SNI is sent from client to server without stripping or rewriting the SNI.

     

    Workaround: None.

     

    It seems we have to wait for them to patch it...

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 11, 2017

    Hi Angorya,

     

    Workaround: None.

     

    Seems to be an dead end then, since you can not remove an existing SNI extension from the Handshake for now (see my prequisites Step 3.).

     

    The last chance I see for you is by utilizing a VIP-targeting-VIP setup, so that you can still use SNI to flip SSL Profiles for the client side connection (aka. external VS) while making sure to not forward a SNI value to APM (aka. internal VS). At least this approach will allow you to mitigate the listed condition "Client side ClientHello contains SNI." and would then allow you to insert a SNI value of your choice on the connection between the internal VS and backend servers.

     

    Cheers, Kai

     

  • Christoph_Lange's avatar
    Christoph_Lange
    Icon for Altostratus rankAltostratus
    Jan 25, 2018

    I have two virtual servers with multiple server ssl profiles applied. One is working, the second only work with one domain. Replacing the multiple server ssl profiles with this irule solved the problem. Thanks!