TLS server_name extension based routing without clientssl profile

Problem this snippet solves: Some configuration requires to not decrypt SSL traffic on F5 appliances to select pool based on HTTP Host header. I found a useful irule and this code keeps the struct...
Updated Jun 06, 2023
Version 2.0
binary
sni
sni without clientssl profile
ssl
TMOS
Mel_Cey_201201's avatar
Mel_Cey_201201
Icon for Nimbostratus rankNimbostratus
Feb 12, 2018

Thanks so much for publishing this - I am working on a similar issue where SSL is terminated behind the Bigip and want to distribute the traffic to certain pools depending on the Host header.

We started with an iRule based on this one: https://devcentral.f5.com/questions/match-ssl-sni-and-redirect-ssl-traffic-without-ssl-termination

From time to time we get errors:

 - bad option "-28159": must be -exact, -glob, -regexp, or -- while executing "switch $tls_version { "769" - "770" - "771" { if { ($tls_xacttype == 22) }...'

Which have lead to further investigations including the suggestion that we should limit the TCP:collect based on the possibility of causing the tmm to crash if the scan doesn't find what it needs and reads too much data.

https://support.f5.com/csp/article/K6578

https://support.f5.com/csp/article/K13387

I was wondering if this is a concern as there's an open TCP:collect here. So basically, my question is - in this iRule should the TCP:collect be limited to a certain number of bytes, and if so, how many would be enough to ensure that we can reach the SNI value?

Again - thanks for sharing this, it's super helpful.

-M