SNI iRule problem

ok, i found that disabling TLS 1.0 under IE properties "fix" the problem.. but for example, the same problem appear if I try to access the VIP from a BB smartphone

 

 

is it possible to avoid this problem with an If statement? I've tried to put an boolean check, but the problem is that the variable doesn't exist :(

doing other tests and put some log point, i've seen that no-SNI capable browser in this statement:

 

 

if { ([TCP::payload length] >= $record_offset) }

 

 

the tcp-payload length and record_offset are always the same number, so when there is this statement "binary scan [TCP::payload] @${record_offset}S tls_extenlen", the variable $tls_extenlen will not be created and so the TCL script break the execution

 

 

i've modified the statement like this "([TCP::payload length] > $record_offset)", and this seems to solve the issue. The no-SNI capable browser can access the VIP (with ssl warning about certification), and also the SNI capable can access

 

 

I don't know if it the right solution, but seems to work.. may be someone can indicate another way to make it work ^_^

 

 

Giammarco:

 

 

Thanks for the input on this. You're right on both counts. I'll need to look at why IE8+XP has an issue with this -- disabling TLS 1.0 is an okay fix but there should be a way to do this without needing a clientside fix. And we can't disable TLS 1.0 handshake checking in the iRule because SNI browsers can be TLS 1.0 (most are).

 

 

The offset thing -- that's also correct on your part. The rule was written originally prototyping against only SNI browsers, so I have to admit, redfaced, that I didn't test it too hard on non-SNI browsers. If I get a chance, I'll go update the iRule and give it another test.

 

 

Of course, if you're running 11.1/11.2, it's better to just use F5's built-in SNI support. :> It doesn't do pool switching, but an iRule on the VIP can easily do that for you once TMOS is done taking care of the SNI selection.

I did verify your fix, and I altered the iRule in the Wiki appropriately. Thanks!

Hi Joel,

 

 

when we installed this F5 in our environment (from distributor), we've tried this iRule under 11.1.0HF2 to apply SNI but didn't work (with or without SNI capable browser). Now you said to me that there is a F5 SNI implementation right? Where I can see how to configure?

 

 

I'm a newbie, and i'm trying to learning step by step

 

 

Many thanks!

Giammarco: No problem at all. It's in 11.1.

 

 

Check out the client SSL profile. You'll notice (with Advanced Mode activated), that there are the following configuration items exposed in the profile:

 

 

- Server Name

 

- Default SSL Profile for SNI

 

- Require Peer SNI Support

 

 

Cheers!