HTTPS SNI Monitoring How-to
Hi,
You may or may not already have encountered a webserver that requires the SNI (Server Name Indication) extension in order to know which website it needs to serve you. It comes down to "if you ...
Published Mar 23, 2014
Version 1.0
Thomas_Schocka1
Altocumulus
AltocumulusThomas_Schocka1Altocumulus
Altocumulus
John_Beckmann
Employee
EmployeeThis has actually been implemented in 13.1.0
K11323537: Configuring In-TMM monitoring
https://support.f5.com/csp/article/K11323537
This allows you to add a ServerSSL Profile to a Monitor, and in the ServerSSL Profile, you can specify a SNI.
# list ltm monitor https https_in_tmm
ltm monitor https https_in_tmm {
adaptive disabled
defaults-from https
destination *:*
interval 5
ip-dscp 0
recv none
recv-disable none
send "GET /\r\n"
ssl-profile /Common/in-tmm-monitor
time-until-up 0
timeout 16
}
ltm profile server-ssl in-tmm-monitor {
app-service none
defaults-from serverssl
server-name email.apmjb2.local
}
Now the monitor sends an SNI of email.apmjb2.local
# tshark -r /shared/tmp/tmm_sni.pcap -T fields -e ssl.handshake.extensions_server_name -R "ssl.handshake.extensions_server_name" -2
email.apmjb2.local