Forum Discussion

Drew666's avatar
Drew666
Icon for Nimbostratus rankNimbostratus
Oct 09, 2019

iRule CMD usage clarification - SSL::SNI

Hi,

 

I'm looking for an iRule command to extract the Server Name attribute (SNI) from an incoming SSL/TLS Client Hello packet.

According to the F5 description:

 

[https://clouddocs.f5.com/api/irules/SSL__sni.html ]

 

The [SSL::SNI] cmd returns the "Server Name" attribute of the SSL Profile currently selected - which is fine if there are multiple SSL profiles attached to the VS.

 

However for my application, I would like to extract the incoming Server Name from the Client Hello packet.

Would [HTTP::host] work instead?

 

Thanking you

Cheers

Drew

application delivery
iRules

3 Replies

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 10, 2019

    ​Here it goes...

    when CLIENTSSL_HANDSHAKE {
    log local0.info "CLIENTSSL_HANDSHAKE"
 
    set ext_exists [SSL::extensions exists -type 0]
    log local0.info "SSL extension type 0 exists: $ext_exists"
    if {$ext_exists} {
        set scan [binary scan [SSL::extensions -type 0] S1S1A4A* ext_type ext_len disc ext]
        
        #set sni_hostname [binary format H* $ext]
		log local0. "SSL server_name $ext"
    }
}
    • Drew666's avatar
      Drew666
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2019

       

      Hi Yoann

       

      Firstly my apologies for the late reply (have been away)

       

      I'll test it hopefully this week.

       

      Thanking you