SNI & Subject.DN Question

Question

I have a use case where I filter traffic based on the SNI value gained by a binary scan in CLIENT_DATA but in some cases SNI value is null. I'm wanting to look at the servers subject.dn when this happens. I know that I can gain the subject.dn from SERVERSSL_SERVERCERT in the below code however I have no way to gain the same information in CLIENT_DATA or signal SERVERSSL_SERVERCERT that based on the information in CLIENT_DATA that it needs to get the subject.dn and do stuff. If anyone has any ideas I would be very grateful.&nbsp;when SERVERSSL_SERVERCERT {
    if { [SSL::cert count] != 0 }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
    }
}

rob_carr · Answer

Why not signal the need to check subject.dn based on the absence of your SNI info?
Pseudocode:
when CLIENT_DATA {
    set check_subject_dn 0
    if { [SNI existence check goes here]}
        [extract SNI and do whatever]
    } else {
        set check_subject_dn 1
    }
}
when SERVERSSL_SERVERCERT {
    if { ([SSL::cert count] != 0) &amp;&amp; $check_subject_dn }{
        set cert [SSL::cert 0]
        set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
        log "gn_proxy: Server Certificate Received: $subject_dn [IP::server_addr]"
}
}

Forum Discussion

SNI & Subject.DN Question

1 Reply

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Server Profile SNI

How to Troubleshoot SNI

SNI Routing with BIG-IP

SNI Routing with DNS Lookup

Serverside SNI injection iRule