TLS server_name extension based routing without clientssl profile

Problem this snippet solves:

Some configuration requires to not decrypt SSL traffic on F5 appliances to select pool based on HTTP Host header.

I found a useful irule and this code keeps the structure and most of binary commands of it. I'm not sure if the first author was Kevin Stewart or Colin Walker. thanks both of them to have provided such code.

I worked to understand it reading TLS 1.2 RFC 5246 and TLS 1.3 draft-23 and provided some enhancements and following description with irule variables references. According to TLS 1.3 draft-23, this code will still be valid with next TLS version.

the following network diagram shows one use cases where this code will help.

This diagram show how this code works based on the tls_servername_routing_dg Datagroup values and detected server name and TLS versions detected in the CLIENT_HELLO packet.

For performances reasons, only the first TCP data packet is analyzed.

Versions :

1.1 : Updated to support TLS version detection and SSL offload feature. (05/03/2018)

1.2 : Updated to support TLS Handshake Failure Messages instead of reject. (09/03/2018)

1.3 : Updated to support node forwarding, logs only for debug (disabled with static variable), and changed the Datagroup name to

tls_servername_routing_dg
. (16/03/2018)

1.4 : Added 16K handshake length limit defined in RFC 1.2 in variable payload. (13/04/2018)

1.5 : Added supported version extension recursion, to bypass unknown TLS version if a known and allowed version is in the list. This correct an issue with Google chrome which include not documented TLS version on top of the list. (30/04/2018)

How to use this snippet:

create a virtual server with following configuration:

  • type : Standard
  • SSL Profile (client) : Only if you want to enable SSL offload for some pools
  • irule : code bellow

create all objects used in following datagroup (virtual servers, pools)

create a data-group named tls_servername_routing_dg.

  • if you want to forward to pool, add the value
    pool NameOfPool
  • if you want to forward to pool and enable SSL Offload (ClientSSL profile must be enabled on virtual server), add the value
    pool NameOfPool ssl_offload
  • if you want to forward to virtual server, add the value
    virtual NameOfVirtual
  • if you want to forward to an IP address, add the value
    node IPOfServer
    , backend server will not be translated
  • if you want to reject the connection with RFC compliant handshake_failure message, add the value
    handshake_failure
  • if you want to reject the connection, add the value
    reject
  • if you want to drop the connection, add the value
    drop

The

default
value keyword is search if there is no TLS server name extension or if TLS server name extension is not found in the data group. here is an example:

ltm data-group internal tls_servername_routing_dg {
    records {
        app1.company.com {
            data "virtual vs_app1.company.com"
        }
        app2.company.com {
            data "pool p_app2"
        }
        app3.company.com {
            data "pool p_app3 ssl_offload"
        }
        app4.company.com {
            reject
        }
        default {
            data "handshake_failure"
        }
    }
    type string
}

Code :

when RULE_INIT {
    set static::sni_routing_debug 0
}
 
when CLIENT_ACCEPTED {
    if { [PROFILE::exists clientssl] } {
        # We have a clientssl profile attached to this VIP but we need
        # to find an SNI record in the client handshake. To do so, we'll
        # disable SSL processing and collect the initial TCP payload.
        set ssldisable "SSL::disable"
        set sslenable "SSL::enable"
        eval $ssldisable
    }                
    TCP::collect
    set default_pool [LB::server pool]
    set tls_servername ""
    set tls_handshake_prefered_version "0000"
}
when CLIENT_DATA {
    # Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
    set payload [TCP::payload 16389]
    set payloadlen [TCP::payload length]
    
    # - Record layer content-type     (1 byte) --> variable tls_record_content_type
    #    Handshake value is 22 (required for CLIENT_HELLO packet)
    # - SSLv3 / TLS version. (2 byte)  --> variable tls_version
    #    SSLv3 value is 0x0300 (doesn't support SNI, not valid in first condition)
    #    TLS_1.0 value is 0x0301
    #    TLS_1.1 value is 0x0302, 0x0301 in CLIENT_HELLO handskake packet for backward compatibility (not specified in RFC, that's why the value 0x0302 is allowed in condition)
    #    TLS_1.2 value is 0x0303, 0x0301 in CLIENT_HELLO handskake packet for backward compatibility (not specified in RFC, that's why the value 0x0303 is allowed in condition)
    #    TLS_1.3 value is 0x0304, 0x0301 in CLIENT_HELLO handskake packet for backward compatibility (explicitly specified in RFC)
    #    TLS_1.3 drafts values are 0x7FXX (XX is the hexadecimal encoded draft version), 0x0301 in CLIENT_HELLO handskake packet for backward compatibility (explicitly specified in RFC)
    # - Record layer content length (2 bytes) : must match payload length --> variable tls_recordlen
    # - TLS Hanshake protocol (length defined by Record layer content length value)
    #       - Handshake action (1 byte) : CLIENT_HELLO = 1 --> variable tls_handshake_action
    #       - handshake length  (3 bytes)
    #       -  SSL / TLS handshake version (2 byte)
    #           In TLS 1.3 CLIENT_HELLO handskake packet, TLS hanshake version is sent whith 0303 (TLS 1.2) version for backward compatibility. a new TLS extension add version negociation.
    #       - hanshake random (32 bytes)
    #       - handshake sessionID length (1 byte) --> variable tls_handshake_sessidlen
    #       - handshake sessionID (length defined by sessionID length value, max 32-bit)
    #       - CipherSuites length (2 bytes) --> variable tls_ciphlen
    #       - CipherSuites (length defined by CipherSuites length value)
    #       - Compression length (2 bytes) --> variable tls_complen
    #       - Compression methods (length defined by Compression length value)
    #       - Extensions 
    #           - Extension length (2 bytes)  --> variable tls_extension_length
    #           - list of Extensions records (length defined by extension length value)
    #               - extension record type (2 bytes) : server_name = 0, supported_versions = 43--> variable tls_extension_type
    #               - extension record length (2 bytes) --> variable tls_extension_record_length
    #               - extension data (length defined by extension record length value)
    #
    #   TLS server_name extension data format:
    #       - SNI record length (2 bytes)
    #       - SNI record data (length defined by SNI record length value)
    #           - SNI record type (1 byte)
    #           - SNI record value length (2 bytes)
    #           - SNI record value (length defined by SNI record value length value) --> variable tls_servername
    #
    #   TLS supported_version extension data format (added in TLS 1.3):
    #       -  supported version length (1 bytes) --> variable tls_supported_versions_length
    #       - List of supported versions (2 bytes per version) --> variable tls_supported_versions
 
 
 
    # If valid TLS 1.X CLIENT_HELLO handshake packet
    if { [binary scan $payload cH4Scx3H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshake_version tls_handshake_sessidlen] == 6 && \
        ($tls_record_content_type == 22) && \
        ([string match {030[1-3]} $tls_version]) && \
        ($tls_handshake_action == 1) && \
        ($payloadlen == $tls_recordlen+5)} {
 
        # store in a variable the handshake version
        set tls_handshake_prefered_version $tls_handshake_version
 
        # skip past the session id
        set record_offset [expr {44 + $tls_handshake_sessidlen}]
 
        # skip past the cipher list
        binary scan $payload @${record_offset}S tls_ciphlen
        set record_offset [expr {$record_offset + 2 + $tls_ciphlen}]
 
        # skip past the compression list
        binary scan $payload @${record_offset}c tls_complen
        set record_offset [expr {$record_offset + 1 + $tls_complen}]
 
        # check for the existence of ssl extensions
        if { ($payloadlen > $record_offset) } {
            # skip to the start of the first extension
            binary scan $payload @${record_offset}S tls_extension_length
            set record_offset [expr {$record_offset + 2}]
            # Check if extension length + offset equals payload length
            if {$record_offset + $tls_extension_length == $payloadlen} {
                # for each extension
                while { $record_offset < $payloadlen } {
                    binary scan $payload @${record_offset}SS tls_extension_type tls_extension_record_length
                    if { $tls_extension_type == 0 } {
                        # if it's a servername extension read the servername
                        # SNI record value start after extension type (2 bytes), extension record length (2 bytes), record type (2 bytes), record type (1 byte), record value length (2 bytes) = 9 bytes
                        binary scan $payload @[expr {$record_offset + 9}]A[expr {$tls_extension_record_length - 5}] tls_servername
                        set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
                        
                    } elseif { $tls_extension_type == 43 } {
                        # if it's a supported_version extension (starting with TLS 1.3), extract supported version in a list
                        binary scan $payload @[expr {${record_offset} + 4}]cS[expr {($tls_extension_record_length -1)/2}] tls_supported_versions_length tls_supported_versions
                        set tls_handshake_prefered_version [list]
                        foreach version $tls_supported_versions {
                            lappend tls_handshake_prefered_version [format %04X [expr { $version & 0xffff }] ]
                        }
                        if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : prefered version list : $tls_handshake_prefered_version"}
                        set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
                    } else {
                        # skip over other extensions
                        set record_offset [expr {$record_offset + $tls_extension_record_length + 4}]
                    }
                }
            }
        }
    } elseif { [binary scan $payload cH4 ssl_record_content_type ssl_version] == 2 && \
        ($tls_record_content_type == 22) && \
        ($tls_version == 0300)} {
        # SSLv3 detected
        set tls_handshake_prefered_version "0300"
    } elseif { [binary scan $payload H2x1H2 ssl_version handshake_protocol_message] == 2 && \
        ($ssl_version == 80) && \
        ($handshake_protocol_message == 01)} {
            # SSLv2 detected
            set tls_handshake_prefered_version "0200"
        }
    unset -nocomplain payload payloadlen tls_record_content_type tls_recordlen tls_handshake_action tls_handshake_sessidlen record_offset tls_ciphlen tls_complen tls_extension_length tls_extension_type tls_extension_record_length tls_supported_versions_length tls_supported_versions
 
    foreach version $tls_handshake_prefered_version {
        switch -glob -- $version {
            "0200" {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : SSLv2 ; connection is rejected"}
                reject
                return
            }
            "0300" -
            "0301" {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : SSL/TLS ; connection is rejected (0x$version)"}
                    # Handshake Failure packet format:
                    #
                    # - Record layer content-type     (1 byte) --> variable tls_record_content_type
                    #    Alert value is 21 (required for Handshake Failure packet)
                    # - SSLv3 / TLS version. (2 bytes)  --> from variable tls_version
                    # - Record layer content length (2 bytes) : value is 2 for Alert message
                    # - TLS Message (length defined by Record layer content length value)
                    #       - Level (1 byte) : value is 2 (fatal)
                    #       - Description (1 bytes) : value is 40 (Handshake Failure)
                TCP::respond [binary format cH4Scc 21 $tls_version 2 2 40]
                after 10
                TCP::close
                #drop
                #reject
                return
            }
            "030[2-9]" -
            "7F[0-9A-F][0-9A-F]" {
                # TLS version allowed, do nothing
                break
            }
            "0000" {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : No SSL/TLS protocol detected ; connection is rejected (0x$version)"}
                reject
                return
            }
            default {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : Unknown CLIENT_HELLO TLS handshake prefered version : 0x$version"}
            }
        }
    }
 
    if { $tls_servername equals "" || ([set sni_dg_value [class match -value [string tolower $tls_servername] equals tls_servername_routing_dg]] equals "")} {
        set sni_dg_value [class match -value "default" equals tls_servername_routing_dg]
    }
 
    switch [lindex $sni_dg_value 0] {
        "virtual" {
            if {[catch {virtual [lindex $sni_dg_value 1]}]} {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; Virtual server [lindex $sni_dg_value 1] doesn't exist"}
            } else {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; forwarded to Virtual server [lindex $sni_dg_value 1]"}
            }
        }
        "pool" {
            if {[catch {pool [lindex $sni_dg_value 1]}]} {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; Pool [lindex $sni_dg_value 1] doesn't exist"}
            } else {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; forwarded to Pool [lindex $sni_dg_value 1]"}
            }
            if {[lindex $sni_dg_value 2] equals "ssl_offload" && [info exists sslenable]} {
                eval $sslenable
            }
        }
        "node" {
            if {[catch {node [lindex $sni_dg_value 1]}]} {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; Invalid Node value [lindex $sni_dg_value 1]"}
            } else {
                if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; forwarded to Node [lindex $sni_dg_value 1]"}
            }
        }
        "handshake_failure" {
            if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; connection is rejected (with Handshake Failure message)"}
            TCP::respond [binary format cH4Scc 21 $tls_handshake_prefered_version 2 2 40]
            after 10
            TCP::close
            return
        }
        "reject" {
            if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; connection is rejected"}
            reject
            return
        }
        "drop" {
            if {$static::sni_routing_debug} {log local0. "[IP::remote_addr] : TLS server_name value = ${tls_servername} ; TLS prefered version = 0x${tls_handshake_prefered_version} ; connection is dropped"}
            drop
            return
        }
    }
    TCP::release
}
Updated Jun 06, 2023
Version 2.0
  • It appears that the latest version of Google Chrome (version 124) on MacOS has broken the above code. With debugging turned on, we get this when a MacOS client accesses a virtual server with this rule:

    No SSL/TLS protocol detected ; connection is rejected (0x0000)

    Can anyone else confirm this? Any idea how to fix it? Stanislas_Piro2 

     

  • If virtual server doesn't have a clientssl profile, assigning an irule with SSL::disable command is not possible.

    to allow to use this command only if clientssl profile is assigned, i set a variable with the command and evaluate the command

    if { [PROFILE::exists clientssl] } {
         We have a clientssl profile attached to this VIP but we need
         to find an SNI record in the client handshake. To do so, we'll
         disable SSL processing and collect the initial TCP payload.
        set ssldisable "SSL::disable"
        set sslenable "SSL::enable"
        eval $ssldisable
    } 
    

    [PROFILE::exists clientssl]
    is true only if the virtual server have a clientssl profile assigned.

  • What is the advantage of using these two statements?

        set ssldisable "SSL::disable"
        set sslenable "SSL::enable"
    
  • My apologies StanislaS, i have updated the irule on this question ON DEVCENTRAL page i created as advised.

     

  • @kazeem

     

    1. This snippet doesn't manage virtual servers terminating SSL on F5, So please only add comments here related to the code above. If there is no answer on the question you posted in "Answer section", try to update it with your new search (the irule you posted here for example)
    2. Devcentral is a forum where experts helps others during free time. please don't contact me with linkedIn if I don't answer here.

    Regards,

     

    Stanislas

     

  • Hello Stanislas, I need help on decrypting https enrichment problem. The Scenario is an https virtual server terminating https to backend pool on http. We have clients sending https enriched requests to certificates terminated on F5. (the enrichment is embedded on a tls extensionvalue in CLIENT HELLO)

     

    However, because the certificate loaded ON F5 uses standard "server hello" settings, the ssl handshake fails.

     

    1.Is it possible to have the data on client hello included in request sent to backend server.

     

    1. Is there an irule that can be included on F5 that can be used to create tls extension values. ( i worked on an irule using CLIENTSSL_CLIENTHELLO but haven't gotten headway).

    when CLIENTSSL_CLIENTHELLO { set my_ext "Hello world!" set my_ext_type 17516 SSL::extensions insert [binary format S1S1a* $my_ext_type [string length $my_ext] $my_ext] }

     

    Looking forward to hearing from you.

     

  • @Mel : your issue is not a collect size issue but a non tls packet deciding issue

     

    The returned value of binary command is -28159 which is not a valid tls version yet (a signed to unsigned convertion may be done)

     

    Then after this decoding, the value is checked within switch command which handle any value starting with dash as a parameter : -28159 is not a valid parameter.

     

    You can replace the switch command with

     

    switch —- $tls_version    
    

    Or use this code which does not the same test.

     

  • Thanks so much for publishing this - I am working on a similar issue where SSL is terminated behind the Bigip and want to distribute the traffic to certain pools depending on the Host header.

    We started with an iRule based on this one: https://devcentral.f5.com/questions/match-ssl-sni-and-redirect-ssl-traffic-without-ssl-termination

    From time to time we get errors:

     - bad option "-28159": must be -exact, -glob, -regexp, or -- while executing "switch $tls_version { "769" - "770" - "771" { if { ($tls_xacttype == 22) }...'

    Which have lead to further investigations including the suggestion that we should limit the TCP:collect based on the possibility of causing the tmm to crash if the scan doesn't find what it needs and reads too much data.

    https://support.f5.com/csp/article/K6578

    https://support.f5.com/csp/article/K13387

    I was wondering if this is a concern as there's an open TCP:collect here. So basically, my question is - in this iRule should the TCP:collect be limited to a certain number of bytes, and if so, how many would be enough to ensure that we can reach the SNI value?

    Again - thanks for sharing this, it's super helpful.

    -M