Forum Discussion

Scott123456789's avatar
Apr 30, 2019

SNI Implementation

My F5 is running version 13.1.1.4.0.0.4. My organization has an existing web application that uses SNI. One URL does authentication based on certificates, the other URL does authentication based on Active Directory. We want to move this behind the F5 to utilize ASM.

 

When researching how to set up SNI within the F5, I read numerous sites (farther below with a comment or two). I've tried numerous combinations of SSL profiles on the client and server side. On the Client side, I tried having a default clientssl with blank server name section (as described in the K13452 link below) and two more clientssl profiles that have the server name section populated with the respective URLs. I also tried removing the default clientssl with black server name and just setting one of the other clientssl's as the default. On the server side, I tried mirroring the client ssl profiles. I tried my standard serverssl profile in hopes it would just pass the SNI field. No luck.

 

The site never comes up. When I do packet captures on my computer and the F5 (I capture the incoming traffic to the VIP and outgoing traffic to the server in the pool), in the TLS Client hello, I see the SNI field when it leaves my computer and arrives at the VIP of the F5. But the packet capture to the server in the pool does NOT have that field in the Client Hello. I don't know what I'm doing wrong.

 

SSL Profiles Part 7: Server Name Indication

 

K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature

 

How can I configure Server SSL Profiles to connect to different URLs on the same server?

 

Using the iRule in the accepted answer section from the above article did not get the SNI field to show in the client hello packet to the server in the pool. I make the "hostname" in the iRule "$hostname" and the sites in quotes are the two URLs. The SSL profile is the name of the serverssl profile.

 

Serverside SNI injection iRule

 

In the comments of this article, someone links a bug for 13.0. But that doesn't seem to describe what I'm experiencing (I'm experiencing no server side SNI at all).

 

7 Replies

  • Thank you both for the explanations. I should have added in my original post that this was my first time working with anything SNI, so maybe I have a misunderstanding that I haven't realized yet.

     

    I now understand that not seeing the server_name extension from the server side of the BIGIP is the expected behavior, but that design decision confuses me. Currently, without the BIGIP involved, the web front end receives client hello packets with this extension and it works properly. So why wouldn't the BIGIP be designed to send them?

     

    On the web front end, IIS currently has only two sites. One is configured to require SNI (this is a check box in the binding section), the other site has the box unchecked. The box being checked for the one site gave me the impression that the site won't work without the server_name extension.

     

    In the mean time, I will attempt my configuration like the diagram by Rodrigo.

     

    • Rodrigo_Albuque's avatar
      Rodrigo_Albuque
      Icon for MVP rankMVP

      BIG-IP is designed to do this too but SNI was not designed for this. I'd advise you to have a look at SSL Forward Proxy (SNI is forwarded all the way through here) or you can use the injection iRule if that works for you.

       

    • Scott123456789's avatar
      Scott123456789
      Icon for Cirrus rankCirrus

      I've read a bit about the SSL Forward Proxy and I can see how the web server in the pool will get the server_name extension. But I cannot have two certificates and keys in the client ssl profile, so do I just configure two separate client ssl profiles and add them both to the virtual server? I'm not sure what certificates are supposed to be in the SSL Forward Proxy portion of the configuration either.

       

  • You can insert a SNI in SSL Server Side session based on the same SNI value in Client Side.

    For example, if you use the mentioned Serverside SNI injection iRule, replace sni_value setting logic

    when CLIENTSSL_CLIENTHELLO priority 320 {
        if {[SSL::extensions exists -type 0]} {
            binary scan [SSL::extensions -type 0] @9A* sni_value
        } else {
            set sni_value {}
        }
        log local0. "SNI: $sni_value"
    }