Forum Discussion

K-Dubb's avatar
K-Dubb
Icon for Nimbostratus rankNimbostratus
Mar 12, 2019

SNI

Has anyone tried to use multiple SSL profiles on a VIP with SNI and each profile have different allowed ciphers/protocols? This article indicates that each profile can have different security requirements which I interpret as different allowed ciphers. https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication

 

However this one states that F5 "recommends" the same ciphers: https://support.f5.com/csp/article/K13452

 

I had a use case where I had one VIP, and needed certain clients to only have certain ciphers allowed. However, it appears that it is not possible even with SNI. The LTM does not allow you to apply any profile to the VIP where the ciphers don't match. I spoke with our F5 sales engineer and he tested in a lab and came to the same conclusion.

 

Has anyone found a way around this? Just curious.

 

3 Replies

  • Set up VIP targetted VIP and use a traffic policy.

     

    First VIP listens on 443 and had has no ssl profiles, snat or http profile. It only has a local traffic policy.

     

    This policy will forward traffic to a targetted vip (1 vip per client ssl profile) based on the SNI name in the TLS client hello.

     

     

    Per targetted VS you have a client ssl profile with the correct certificate and ciphers, http profile.

     

    Some useful resources:

     

    https://devcentral.f5.com/articles/lightboard-lessons-vip-targeting-vip

     

    https://devcentral.f5.com/articles/sni-routing-with-big-ip-31348

     

  • Hi K-Dubb,

    you have to read the SNI value on the TCP layer by using the

    TCP::collect
    and
    TCP::payload
    commands before the
    CLIENTSSL_CLIENTHELLO
    event gets processed. By doing so you will be able to manually
    SSL::profile XYZ
    choose a non-sni-aware SSL profile as you like.

    Depending on the detailed requirements it may be sufficient to check if the first collected

    TCP::payload
    is
    contain
    included in given Data-Group. The Data-Group key would be the SNI name and the Data-Group value would be the SSL Profile to become selected. If this approach is not sufficient for your solution, you would need to binary parse the received CLIENTHELLO payload to extract the SNI value more accurately...

    Check out Joels SNI parsing iRule to get an idea how to parse the SNI value...

    https://devcentral.f5.com/codeshare/tls-server-name-indication

    Cheers, Kai

  • K-Dubb's avatar
    K-Dubb
    Icon for Nimbostratus rankNimbostratus

    What if instead of trying to do a different profile, I used the existing profile/VIP and wrote a policy to reset traffic if a certain protocol is used for a certain server name? Basically:

    Match all the following conditions
    SSL Extension server name is abc.domain.com at ssl client hello
    client ssl protocol is SSLv3 at request time
    Do the following:
    Reset traffic
    

    So if a request comes in for abc.domain.com attempting with SSLv3, reset it. All other hosts would be allowed. Thoughts?

    Edit: I might have to use HTTP Host instead if the protocol does not support SNI.

    Edit 2: I did test this and it does reset the connection once there is a GET request. It does however still show up in an SSL Scan as expected.