Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

issue with ssl client profile when adding irule sni injection to a vs

Hello,

We want to add SNI field to our MQTT/TLS trafic between clients and a broker servers (acting as servers). unfortunatelly, the client do not support SNI extension field. The F5 is acting in TLS passthrough. the broker servers are the TLS server end point.

For that I use an irule with SSL::extensions insert (check below). I am creating my self the SNI extension. unfortunatelly, When adding my irule to my virtual server, I cannot validated my virtual server, i get an error that a client ssl profile is not present. here is my irule:

when CLIENTSSL_CLIENTHELLO {

# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type                =  int16( 0 = SNI ) 
# - TLS Extension Length              =  int16( $sni_length + 5 byte )
#    - SNI Record Length              =  int16( $sni_length + 3 byte)
#       - SNI Record Type             =   int8( 0 = HOST )
#          - SNI Record Value Length  =  int16( $sni_length )
#          - SNI Record Value         =    str( $sni_value )
#

# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length "testname"]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length "testname"]

}

I don't understand why i need to add a ssl profile to my virtual server, as F5 is TLS passthrough.

thanks for your answer.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

the CLIENTSSL_CLIENTHELLO event and the SSL::extensions command require the SSL client profile.

to do what you want will probably have to be done in the TCP events, but that complicates get the data and modifing it greatly.

0