Forum Discussion

Neeraj_Jags_152's avatar
Sep 30, 2016

SNI in sol13452 and Default / fallback client ssl profile

how to Drop https request for Default / fallback clientssl profile, SNI in sol13452 sol13452 describes very well for "Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature" but solution does not say about if I do not want the connection to establish when required hostname (CN / servername) is not coming from client request then how to drop the connection. Should I use iRule or profile parameter tweak will enable this feature.

 

  • Hi Neeraj,

    I'm not aware of a configuration hack to bypass the mandatory SNI Default Profile. But you may use the iRule below as a starting point, to parse the requested SNI value and then allow/reject the connection as needed...

    when CLIENTSSL_CLIENTHELLO {
        if { [SSL::extensions exists -type 0] } then {
            switch -glob -- [string range [SSL::extensions -type 0] 9 end] {
                "site1.domain1.de" -
                "site2.domain1.de" -
                "site3.domain1.de" -
                    "*.domain2.de" {
                    log local0.debug "SNI Check: Allowing SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                    Allow the request
                } 
                default {
                    log local0.debug "SNI Check: Blocking SNI Value = \"[string range [SSL::extensions -type 0] 9 end]\""
                    reject
                }           
            }
        }
    }
    

    Note: You have to configure "Require Peer SNI support" in your Client SSL Profiles to block any CLIENTHELLO's without SNI extentions.

    Cheers, Kai