Multiple Certs, One VIP: TLS Server Name Indication via iRules

An age old question that we’ve seen time and time again in the iRules forums here on DevCentral is “How can I use iRules to manage multiple SSL certs on one VIP"?”. The answer has always historically...
Published Apr 05, 2011
Version 1.0
adn
application delivery
availability
BIG-IP
code
dev
devops
disaster recovery
iRules
management
John_Kalan's avatar
John_Kalan
Icon for Nimbostratus rankNimbostratus
Aug 03, 2021

The iRule in the original article works great except that it requires the entire CLIENT_HELLO fit within one TCP packet (because the CLIENT_DATA event gives you only the first packet). With the increasing number of extensions, very large CLIENT_HELLO messages are now possible (looking at you, Edge!).

Perhaps a fix is to remove the extra check in Line 44 ([TCP::payload length] > $tls_recordlen). This changes the requirement from "must fit in one packet" to "SNI must be present in the first packet".

TCL (binary scan) seems to defend well against the buffer overflow that might result.