SSL Orchestrator Use Case: Inbound SNI Switching
Published Feb 17, 2021
Version 1.0Was this article helpful?
Hi Torti, I got an update on this from an expert and here's what he had to say:
So as it turns out, the answer to Torti’s question is ‘no’. The ‘cSS’ binary scan flags are only looking at the outer layer of the TLS packet, and this is ALWAYS 1.0 (769). To get to the inner/actual TLS version you have to add a few more binary scan flags. But that’s not important for fetching the Server Name Indication extension. Plus, TLS 1.3 identifies itself in the TLS extensions, so a TLS 1.3 handshake will have 1.0 as the outer version (same as the others), and 1.2 as the inner version (for backward compatibility).
Otherwise, this iRule works natively for TLS 1.3 as long as encrypted client hello (ECH) isn’t enabled.