Multiple Certs, One VIP: TLS Server Name Indication via iRules

An age old question that we’ve seen time and time again in the iRules forums here on DevCentral is “How can I use iRules to manage multiple SSL certs on one VIP"?”. The answer has always historically...

Updated Aug 28, 2025

Version 2.0

Historic F5 Account

Joined May 12, 2005

View Profile

John_Kalan

Nimbostratus

Aug 03, 2021

The iRule in the original article works great except that it requires the entire CLIENT_HELLO fit within one TCP packet (because the CLIENT_DATA event gives you only the first packet). With the increasing number of extensions, very large CLIENT_HELLO messages are now possible (looking at you, Edge!).

Perhaps a fix is to remove the extra check in Line 44 ([TCP::payload length] > $tls_recordlen). This changes the requirement from "must fit in one packet" to "SNI must be present in the first packet".

TCL (binary scan) seems to defend well against the buffer overflow that might result.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

Multiple Certs, One VIP: TLS Server Name Indication via iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS