Serverside SNI injection iRule
Problem this snippet solves:
Hi Folks,
the iRule below can be used to inject a TLS SNI extension to the server side based on e.g. HOST-Header values. The iRule is usefull if your pool servers depending on valid SNI records and you don't want to configure dedicated Server SSL Profiles for each single web application.
Cheers, Kai
How to use this snippet:
- Attach the iRule to the Virtual Server where you need to insert a TLS SNI expension
- Tweak the
variable within the$sni_value
to meet your requirements or move it to a different event as needed.HTTP_REQUEST - Make sure you've cleared the "Server Name" option in your Server_SSL_Profile.
Code :
when HTTP_REQUEST {
#Set the SNI value (e.g. HTTP::host)
set sni_value [getfield [HTTP::host] ":" 1]
}
when SERVERSSL_CLIENTHELLO_SEND {
# SNI extension record as defined in RFC 3546/3.1
#
# - TLS Extension Type = int16( 0 = SNI )
# - TLS Extension Length = int16( $sni_length + 5 byte )
# - SNI Record Length = int16( $sni_length + 3 byte)
# - SNI Record Type = int8( 0 = HOST )
# - SNI Record Value Length = int16( $sni_length )
# - SNI Record Value = str( $sni_value )
#
# Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO
SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value]
}Tested this on version:
12.0Updated Jun 06, 2023
Version 2.0
