Forum Discussion

Marc's avatar
Marc
Icon for Nimbostratus rankNimbostratus
Nov 23, 2018

SSL::sni name not returning value after update to 12.1.3

Hello,

After recently upgrading the lab machine from 12.1.1 to 12.1.3, I have discovered that the following iRule which I have been using to determine if Client SNI and Server SNI match doesn't work anymore:

Version    1.05
Changed    17.01.2017
Summary    This script compares the SNI the client sends to the SNI which the server is using
Summary    If they do not match, the connection is rejected.  In this way a client cannot try to open a https page, for which there is no matching certificate.

when RULE_INIT {
    Set to 1 for writing messages to LTM log file
    set static::debug_log 1
}

when CLIENTSSL_CLIENTHELLO {
    if { [SSL::extensions exists -type 0] } {
        set client_servername [string range [SSL::extensions -type 0] 9 [string length [SSL::extensions -type 0]]]
        set server_servername [SSL::sni name]
        if {$static::debug_log > 0} {log local0. "Client SSL Request Server Name: $client_servername"}
        if {$static::debug_log > 0} {log local0. "Server SSL Profile Name: $server_servername"}
        if {[string tolower $client_servername] ne [string tolower $server_servername]} {
            if {$static::debug_log > 0} {log local0. "Client Request ($client_servername) does not match ($server_servername) - Dropping the Connection"}
            reject
        }
    }
}

The log shows 

Rule /Common/Website-SSL-SNI-MatchDomains-iRule : Client Request (www.mydomain.com) does not match () - Dropping the Connection

which leads me to assume that for some reason 

SSL::sni name
does not return data after the update.

I used this snipped before because on Port 80 on the same IP I have a virtual server with redirects from a myriad of HTTP-only domains to a handful of SSL-enabled URLs. I have only SSL certificates for these handful of redirection target domains, and with this iRule I was able to reduce calls from all those "HTTPS-Everywhere-Users" who were reporting to me invalid certificates for domains which weren't SSL-enabled - just because their browser forcibly tried to connect to port 443 first.

I hope somebody can tell me what's wrong or show me a different solution.

Regards, Marc

application delivery
iRules
LTM

1 Reply

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 29, 2018

    Interestingly, I believe the behavior of this iRule changed between 12.1.1 and 12.1.3. I just tested on a 13.0 box and it's the same as what you're seeing on 12.1.3.

     

    Basically, in 12.1.1, SSL::sni reads the Server Name attribute in the client SSL profile, and if that's empty, reads the CN of the certificate applied to the client SSL profile.

     

    In 12.1.3 and beyond, SSL::sni only reads the Server Name field value. So in your case, you'd simply need to add the Server Name string to each client SSL profile that matches the corresponding cert's CN or SAN value.