Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SNI in sol13452 and Default / fallback client ssl profile

how to Drop https request for Default / fallback clientssl profile, SNI in sol13452 sol13452 describes very well for "Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature" but solution does not say about if I do not want the connection to establish when required hostname (CN / servername) is not coming from client request then how to drop the connection. Should I use iRule or profile parameter tweak will enable this feature.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Neeraj,

I'm not aware of a configuration hack to bypass the mandatory SNI Default Profile. But you may use the iRule below as a starting point, to parse the requested SNI value and then allow/reject the connection as needed...

when CLIENTSSL_CLIENTHELLO {
    if { [SSL::extensions exists -type 0] } then {
        switch -glob -- [string range [SSL::extensions -type 0] 9 end] {
            "site1.domain1.de" -
            "site2.domain1.de" -
            "site3.domain1.de" -
                "*.domain2.de" {
                log local0.debug "SNI Check: Allowing SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                #Allow the request
            } 
            default {
                log local0.debug "SNI Check: Blocking SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                reject
            }           
        }
    }
}

Note: You have to configure "Require Peer SNI support" in your Client SSL Profiles to block any CLIENTHELLO's without SNI extentions.

Cheers, Kai

0
Comments on this Answer
Comment made 02-Oct-2016 by Neeraj Jags 313

Dear Kai,

iRule worked, perfect, Thanks !!

however I was looking for some option in client ssl profile but unfortunately, either not exist or not one have clarity. (like if I check Require "Peer SNI support" for all client ssl profiles, what will happen ?)

Regards,

Neeraj Jagetia

0
Comment made 02-Oct-2016 by Kai Wilke 7323

Hi Neeraj,

the "Require Peer SNI support" option can only be enabled on the SNI Default Profile and causes LTM to require well formated SNI extension to be present to negotiate a new SSL sessions.

The problem is, that LTM will still not verify the submited SNI values (it could be "let.me.in") and then always defaults to the Default SNI Profile if the the requested SNI value is not matching any of the configured SNI values of your Client SSL Profiles. The provided iRule closes this configuration gap and makes sure that only whitelisted SNI values are allowed to negotiate.

Note: My iRule depends on the "Require Peer SNI support=Enabled" option. Otherwise it will be possible to negotiate the "Default SNI Profile" if the client does not include a SNI extension in its request.

Cheers, Kai

0