For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Extracting the SNI server name

Problem this snippet solves:

The following LTM iRule code snippet helps to lookup incoming connections for using server name indication (aka SNI).

A TLS extension may contain an information about the server name the client wants to talk to.

Based on the information the server may pick a matching SSL certificate or a proxy may create one in real-time.


The code below uses the SSL::extensions function to lookup the SSL client hello message for the SNI extension.

The information is stored in the variable sni_name and its value will be logged conditionally by using the ternary operator.

(The ternary operator is a shortcut to simple if-then-else constructs.)

How to use this snippet:

Create a virtual server in standard mode and assign a client-ssl profile to make sure the SSL connection is terminated on your BIG-IP.

Use the iRule below as a resource of your virtual server to determine the usage of SNI in the client hello message during the SSL handshake.


You may test your results by using the openssl s_client utility, i.e.:

$ openssl s_client -connect <virtual-ip>:<port> -servername <hostname.domain>


Lookup the /var/log/ltm file for related log messages by using (and stop it with CTRL-C):

$ tail -f /var/log/ltm



Code :

when CLIENTSSL_HANDSHAKE {
   if { [SSL::extensions exists -type 0] } {
       # optionally lookup all SNI headers (typically not required)
       binary scan [SSL::extensions -type 0] {SSScSA*} ext_type ext_len sni_list_len sni_name_type sni_name_len sni_name
       log local0. "sni info: ${ext_type} ${ext_len} ${sni_list_len} [expr { ${sni_name_type} & 0xff }] ${sni_name_len} ${sni_name}"
       
       # skip the SNI headers instead to save memory
       binary scan [SSL::extensions -type 0] {@9A*} sni_name
       log local0. "sni name: ${sni_name}"
    }
    # use the ternary operator to return the servername conditionally
    log local0. "sni name: [expr {[info exists sni_name] ? ${sni_name} : {not found} }]"
}

Tested this on version:

12.1
Published Jun 24, 2019
Version 1.0
StephanManthey's avatar
Icon for Nacreous rankNacreous
After working 11 years in the IT industry as systems engineer and consultant I joined F5 in April 2002. While working as Field Systems Engineer I really enjoyed the F5 tech community and interaction with customers and system integrators. I left F5 Networks in April 2013 to work as a self-employed consultant focussing on F5´s LTM and GTM solutions. Kudos to F5 for still providing me full time access to hard- and software and licenses to evaluate things. I´m living close to the City of Frankfurt, Germany, I´m married with two sons and enjoy hiking, cycling and geocaching during my spare time. You can get in touch with me through www.lb-net.com.
View Profile
StephanManthey's avatar
Icon for Nacreous rankNacreous
After working 11 years in the IT industry as systems engineer and consultant I joined F5 in April 2002. While working as Field Systems Engineer I really enjoyed the F5 tech community and interaction with customers and system integrators. I left F5 Networks in April 2013 to work as a self-employed consultant focussing on F5´s LTM and GTM solutions. Kudos to F5 for still providing me full time access to hard- and software and licenses to evaluate things. I´m living close to the City of Frankfurt, Germany, I´m married with two sons and enjoy hiking, cycling and geocaching during my spare time. You can get in touch with me through www.lb-net.com.
View Profile
No CommentsBe the first to comment