TLS server_name extension based routing without clientssl profile

Problem this snippet solves: Some configuration requires to not decrypt SSL traffic on F5 appliances to select pool based on HTTP Host header. I found a useful irule and this code keeps the struct...
Updated Jun 06, 2023
Version 2.0
binary
sni
sni without clientssl profile
ssl
TMOS
kazeem_yusuf1's avatar
kazeem_yusuf1
Icon for Nimbostratus rankNimbostratus
Aug 06, 2018

Hello Stanislas, I need help on decrypting https enrichment problem. The Scenario is an https virtual server terminating https to backend pool on http. We have clients sending https enriched requests to certificates terminated on F5. (the enrichment is embedded on a tls extensionvalue in CLIENT HELLO)

 

However, because the certificate loaded ON F5 uses standard "server hello" settings, the ssl handshake fails.

 

1.Is it possible to have the data on client hello included in request sent to backend server.

 

  1. Is there an irule that can be included on F5 that can be used to create tls extension values. ( i worked on an irule using CLIENTSSL_CLIENTHELLO but haven't gotten headway).

when CLIENTSSL_CLIENTHELLO { set my_ext "Hello world!" set my_ext_type 17516 SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext] }

 

Looking forward to hearing from you.