Forum Discussion

niboto_335022's avatar
Icon for Nimbostratus rankNimbostratus
Nov 08, 2017

issue with ssl client profile when adding irule sni injection to a vs


We want to add SNI field to our MQTT/TLS trafic between clients and a broker servers (acting as servers). unfortunatelly, the client do not support SNI extension field. The F5 is acting in TLS passthrough. the broker servers are the TLS server end point.

For that I use an irule with SSL::extensions insert (check below). I am creating my self the SNI extension. unfortunatelly, When adding my irule to my virtual server, I cannot validated my virtual server, i get an error that a client ssl profile is not present. here is my irule:


 SNI extension record as defined in RFC 3546/3.1

 - TLS Extension Type                =  int16( 0 = SNI ) 
 - TLS Extension Length              =  int16( $sni_length + 5 byte )
    - SNI Record Length              =  int16( $sni_length + 3 byte)
       - SNI Record Type             =   int8( 0 = HOST )
          - SNI Record Value Length  =  int16( $sni_length )
          - SNI Record Value         =    str( $sni_value )

 Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 

SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length "testname"]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length "testname"]


I don't understand why i need to add a ssl profile to my virtual server, as F5 is TLS passthrough.

thanks for your answer.

1 Reply

  • the CLIENTSSL_CLIENTHELLO event and the SSL::extensions command require the SSL client profile.


    to do what you want will probably have to be done in the TCP events, but that complicates get the data and modifing it greatly.