https://devcentral.f5.com/s/articles/irules-101-09-debugging
when RULE_INIT {
set static::alternate_profile_for_non_sni "cbayleap.com_Wildcard_2016"
}
when CLIENT_ACCEPTED {
if { [PROFILE::exists clientssl] } {
set detect_non_sni 1
SSL::disable
TCP::collect
} else {
log local0. "This iRule is applied to a VS that has no clientssl profile."
set detect_non_sni 0
}
}
when CLIENT_DATA {
if { [class match [IP::client_addr] equals cbayleap_IP] } {
set detect_non_sni 0
set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2"
catch { eval $ssl_profile_enable }
SSL::enable
TCP::release
log local0. "[IP::client_addr] is matched and applying SHA2 cert"
event disable all
}
if { ($detect_non_sni) } {
binary scan [TCP::payload] cSS tls_xacttype tls_version tls_recordlen
switch "$tls_version" {
"769" -
"770" -
"771" {
if { ($tls_xacttype == 22) } {
binary scan [TCP::payload] @5c tls_action
if { not (($tls_action == 1) && ([TCP::payload length] > $tls_recordlen)) } {
set detect_non_sni 0
}
}
}
default {
set detect_non_sni 0
}
}
if { ($detect_non_sni) } {
set record_offset 43
set tls_extenlen 0
binary scan [TCP::payload] @${record_offset}c tls_sessidlen
set record_offset [expr {$record_offset + 1 + $tls_sessidlen}]
binary scan [TCP::payload] @${record_offset}S tls_ciphlen
set record_offset [expr {$record_offset + 2 + $tls_ciphlen}]
binary scan [TCP::payload] @${record_offset}c tls_complen
set record_offset [expr {$record_offset + 1 + $tls_complen}]
if { ([TCP::payload length] >= $record_offset) } {
binary scan [TCP::payload] @${record_offset}S tls_extenlen
set record_offset [expr {$record_offset + 2}]
binary scan [TCP::payload] @${record_offset}a* tls_extensions
for { set x 0 } { $x < $tls_extenlen } { incr x 4 } {
set start [expr {$x}]
binary scan $tls_extensions @${start}SS etype elen
if { ($etype == "00") } {
set grabstart [expr {$start + 9}]
set grabend [expr {$elen - 5}]
binary scan $tls_extensions @${grabstart}A${grabend} tls_servername
set start [expr {$start + $elen}]
} else {
set start [expr {$start + $elen}]
}
set x $start
}
if { ([info exists tls_servername] ) } {
set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2"
catch { eval $ssl_profile_enable }
SSL::enable
} else {
set ssl_profile_enable "SSL::profile /Common/cbayleap.com_Wildcard_2016"
catch { eval $ssl_profile_enable }
SSL::enable
}
} else {
set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2"
catch { eval $ssl_profile_enable }
SSL::enable
}
set detect_non_sni 0
TCP::release
} else {
set detect_non_sni 0
set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2"
catch { eval $ssl_profile_enable }
SSL::enable
TCP::release
}
}
}