Serverside SNI injection iRule

Problem this snippet solves:

Hi Folks,

the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depending on valid SNI records and you don't want to configure dedicated Server SSL Profiles for each single web application.

Cheers, Kai

How to use this snippet:

  1. Attach the iRule to the Virtual Server where you need to insert a TLS SNI expension
  2. Tweak the
    $sni_value
    variable within the
    HTTP_REQUEST
    to meet your requirements or move it to a different event as needed.
  3. Make sure you've cleared the "Server Name" option in your Server_SSL_Profile.

Code :

when HTTP_REQUEST {
#Set the SNI value (e.g. HTTP::host)
set sni_value [getfield [HTTP::host] ":" 1]
}
when SERVERSSL_CLIENTHELLO_SEND {

# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type                =  int16( 0 = SNI ) 
# - TLS Extension Length              =  int16( $sni_length + 5 byte )
#    - SNI Record Length              =  int16( $sni_length + 3 byte)
#       - SNI Record Type             =   int8( 0 = HOST )
#          - SNI Record Value Length  =  int16( $sni_length )
#          - SNI Record Value         =    str( $sni_value )
#

# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]

}

Tested this on version:

12.0
Updated Jun 06, 2023
Version 2.0