Serverside SNI injection iRule
Problem this snippet solves:
Hi Folks,
the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depending on valid SNI records and you don't want to configure dedicated Server SSL Profiles for each single web application.
Cheers, Kai
How to use this snippet:
- Attach the iRule to the Virtual Server where you need to insert a TLS SNI expension
- Tweak the
variable within the$sni_value
to meet your requirements or move it to a different event as needed.HTTP_REQUEST
- Make sure you've cleared the "Server Name" option in your Server_SSL_Profile.
Code :
when HTTP_REQUEST { #Set the SNI value (e.g. HTTP::host) set sni_value [getfield [HTTP::host] ":" 1] } when SERVERSSL_CLIENTHELLO_SEND { # SNI extension record as defined in RFC 3546/3.1 # # - TLS Extension Type = int16( 0 = SNI ) # - TLS Extension Length = int16( $sni_length + 5 byte ) # - SNI Record Length = int16( $sni_length + 3 byte) # - SNI Record Type = int8( 0 = HOST ) # - SNI Record Value Length = int16( $sni_length ) # - SNI Record Value = str( $sni_value ) # # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value] }
Tested this on version:
12.0Patrik mentioned:
tcl_platform(machine)
Hi Patrik, instead of using the slightly bugged tcl_platform(machine) global variable, you may try the build-in TCL command
to easily access the HOST-Name of your F5.[info hostname]
Cheers, Kai
- Stanislas_Piro2Cumulonimbus
Hi Kai,
Nice irule... I used this irule for APM portal access resource by replacing the
event byHTTP_REQUEST
.ACCESS_ACL_ALLOWED
and it worked.
Hi Stanislas,
I've slightly optimized the iRule. Make sure to update your toolbox... ;-)
Cheers, Kai
- Stanislas_Piro2Cumulonimbus
4 lines for such need.... with encoding explanations!
Awesome!
And its now ~4-times faster than before :-)
Cheers, Kai
Impressive, five stars! :)
- Stanislas_Piro2Cumulonimbus
Hi Kai,
with this optimized code, do you still use the "Client side to server side SNI relay iRule" or do you always use this one?
- JoeTheFifthAltostratus
I was redirected from this thread (https://devcentral.f5.com/questions/help-with-sni-not-being-passed-to-pool-serverscomment50962) to this one by Stanislas. I was struggling with two certs/two profiles with SNI support. couldn't make it work. I just tested this irule and it works fine. I wanted to use the default config instead of an irule as I already have a complex irule/apm setup but this solves my issue for the moment. I had a question in mind about how to make it work with two certs but I answered my question with a quick test. I created a client profile (no sni setting defined) and added the two certs ( with only one key otherwise you get the error 'Client SSL profile cannot contain more than one set of same certificate/key type'). I created a server profile (no sni no cert just inherited from th default ssl server). Pluged the iRule to the VS and voilà ! :-) Cheers ! But I'd like to know if configuring multiple profiles with sni entries (and a default sni profile) on a single VS work !
- Stanislas_Piro2Cumulonimbus
you can configure on the virtual server multiple clientssl profile (to manage client servername certificate selection) and with only one serverssl profile with this irule.
- AngoryaNimbostratus
I still can't make it work. For some reason I don't know, the F5 is still sending its own hostname in the Client Hello.