SNI

Question

Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols?  This article indicates that each profile can have different security requirements which I interpret as different allowed ciphers.
https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication&nbsp;
However this one states that F5 "recommends" the same ciphers:
https://support.f5.com/csp/article/K13452&nbsp;
I had a use case where I had one VIP, and needed certain clients to only have certain ciphers allowed. However, it appears that it is not possible even with SNI. The LTM does not allow you to apply any profile to the VIP where the ciphers don't match. I spoke with our F5 sales engineer and he tested in a lab and came to the same conclusion.&nbsp;
Has anyone found a way around this? Just curious.&nbsp;

keesvandenbos · Answer

Set up VIP targetted VIP and use a traffic policy.&nbsp;
First VIP listens on 443 and had has no ssl profiles, snat or http profile. It only has a local traffic policy.&nbsp;
This policy will forward traffic to a targetted vip (1 vip per client ssl profile) based on the SNI name in the TLS client hello.&nbsp;&nbsp;
Per targetted VS you have a client ssl profile with the correct certificate and ciphers, http profile.&nbsp;
Some useful resources:&nbsp;
https://devcentral.f5.com/articles/lightboard-lessons-vip-targeting-vip&nbsp;
https://devcentral.f5.com/articles/sni-routing-with-big-ip-31348&nbsp;

kai_wilke · Answer

Hi K-Dubb,
you have to read the SNI value on the TCP layer by using the TCP::collect and TCP::payload commands before the CLIENTSSL_CLIENTHELLO event gets processed. By doing so you will be able to manually SSL::profile XYZ choose a non-sni-aware SSL profile as you like.
Depending on the detailed requirements it may be sufficient to check if the first collected TCP::payload is contain included in given Data-Group. The Data-Group key would be the SNI name and the Data-Group value would be the SSL Profile to become selected. If this approach is not sufficient for your solution, you would need to binary parse the received CLIENTHELLO payload to extract the SNI value more accurately...
Check out Joels SNI parsing iRule to get an idea how to parse the SNI value...
https://devcentral.f5.com/codeshare/tls-server-name-indication
Cheers, Kai

k-dubb · Answer

What if instead of trying to do a different profile, I used the existing profile/VIP and wrote a policy to reset traffic if a certain protocol is used for a certain server name? Basically:
Match all the following conditions
SSL Extension server name is abc.domain.com at ssl client hello
client ssl protocol is SSLv3 at request time
Do the following:
Reset traffic

So if a request comes in for abc.domain.com attempting with SSLv3, reset it. All other hosts would be allowed.  Thoughts?
Edit: I might have to use HTTP Host instead if the protocol does not support SNI. 
Edit 2: I did test this and it does reset the connection once there is a GET request. It does however still show up in an SSL Scan as expected.

Forum Discussion

SNI

3 Replies

Recent Discussions

F5 WAF risk assessment process

APM parse HTTP Connector json to message box, iRule etc.

OS resource consume between 1 slot with 4 cpu core and 2 slot 2 cpu core

BETAFORT RECOVERY A PROFESSIONAL DIGITAL ASSETS RECOVERY

Curl usage

Related Content

Server Profile SNI

SNI Routing with BIG-IP

How to Troubleshoot SNI

SNI Routing with DNS Lookup

Serverside SNI injection iRule